AUTHENTICATED , 
US. GOVERNMENT 
INFORMATION ^ 


ENCRYPTION SECURITY IN A HIGH TECH ERA 


HEARING 

BEFORE THE 

SUBCOMMITTEE ON 

INTERNATIONAL ECONOMIC POLICY AND TRADE 

OF THE 

COMMITTEE ON 
INTERNATIONAL RELATIONS 
HOUSE OF REPRESENTATRH]S 

ONE HUNDRED SIXTH CONGRESS 

FIRST SESSION 


TUESDAY, MAY 18, 1999 


Serial No. 106-108 


Printed for the use of the Committee on International Relations 



Available via the World Wide Web: http://www.house.gov/international relations 


64-674 CC 


U.S. GOVERNMENT PRINTING OFFICE 
WASHINGTON : 2000 


COMMITTEE ON INTERNATIONAL RELATIONS 

BENJAMIN A. GILMAN, New York, Chairman 


WILLIAM F. GOODLING, Pennsylvania 
JAMES A. LEACH, Iowa 
HENRY J. HYDE, Illinois 
DOUG BEREUTER, Nebraska 
CHRISTOPHER H. SMITH, New Jersey 
DAN BURTON, Indiana 
ELTON GALLEGLY, California 
ILEANA ROS-LEHTINEN, Florida 
CASS BALLENGER, North Carolina 
DANA ROHRABACHER, California 
DONALD A. MANZULLO, Illinois 
EDWARD R. ROYCE, California 
PETER T. KING, New York 
STEVEN J. CHABOT, Ohio 
MARSHALL “MARK” SANFORD, South 
Carolina 

MATT SALMON, Arizona 
AMO HOUGHTON, New York 
TOM CAMPBELL, California 
JOHN M. McHUGH, New York 
KEVIN BRADY, Texas 
RICHARD BURR, North Carolina 
PAUL E. GILLMOR, Ohio 
GEORGE RADAVANOVICH, Califorina 
JOHN COOKSEY, Louisiana 
THOMAS G. TANCREDO, Colorado 


SAM GEJDENSON, Connecticut 
TOM LANTOS, California 
HOWARD L. BERMAN, California 
GARY L. AC KE RMAN, New York 
ENI F.H. FALEOMAVAEGA, American 
Samoa 

MATTHEW G. MARTINEZ, California 
DONALD M. PAYNE, New Jersey 
ROBERT MENENDEZ, New Jersey 
SHERROD BROWN, Ohio 
CYNTHIA A. MCKINNEY, Georgia 
ALCEE L. HASTINGS, Florida 
PAT DANNER, Missouri 
EARL F. HILLIARD, Alabama 
BRAD SHERMAN, California 
ROBERT WEXLER, Florida 
STEVEN R. ROTHMAN, New Jersey 
JIM DAVIS, Florida 
EARL POMEROY, North Dakota 
WILLIAM D. DELAHUNT, Massachusetts 
GREGORY W. MEEKS, New York 
BARBARA LEE, California 
JOSEPH CROWLEY, New York 
JOSEPH M. HOEFFEL, Pennsylvania 


Richard J. Garon, Chief of Staff 
Kathleen Bertelsen Moazed, Democratic Chief of Staff 


Subcommittee on International Economic Policy and Trade 


ILEANA ROS-LEHTINEN, Florida, Chairwoman 


DONALD A. MANZULLO, Illinois 
STEVEN J. CHABOT, Ohio 
KEVIN BRADY, Texas 
GEORGE RADANOVICH, California 
JOHN COOKSEY, Louisiana 
DOUG BEREUTER, Nebraska 
DANA ROHRABACHER, California 
TOM CAMPBELL, California 
RICHARD BURR, North Carolina 


ROBERT MENENDEZ, New Jersey 
PAT DANNER, Missouri 
EARL F. HILLIARD, Alabama 
BRAD SHERMAN, California 
STEVEN R. ROTHMAN, New Jersey 
WILLIAM D. DELAHUNT, Massachusetts 
JOSEPH CROWLEY, New York 
JOSEPH M. HOEFFEL, Pennsylvania 


Mauricio Tamargo, Subcommittee Staff Director 
Jodi Christiansen, Democratic Professional Staff Member 
Yleem Poblete, Professional Staff Member 
Camilla Ruiz, Staff Associate 


(II) 



CONTENTS 


WITNESSES 

Page 

William Reinsch, Under Secretary of Commerce, Bureau of Export Adminis- 
tration 9 

Barbara McNamara, Deputy Director, National Security Agency 11 

Ron Lee, Assistant Attorney General, National Security, Department of Jus- 
tice 13 

Gene Voegtlin, Esq., Legislative Counsel, International Association of Chiefs 

of Police 16 

Ira Rubinstein, Senior Corporate Attorney, Microsoft Corporation 41 

Jeffrey Smith, General Counsel, Americans for Computer Privacy 43 

David Weiss, Vice President of Product Marketing, CiTRIX Corporation 44 

Alan Davidson, Staff Counsel, Center for Democracy and Technology 45 

Dinah Pokempner, Deputy General Counsel, Human Rights Watch 47 

Ed Black, President and CEO, Computer and Communications Industry Asso- 
ciation 48 


(III) 



ENCRYPTION SECURITY IN A HIGH TECH ERA 


Tuesday, May 18, 1999 

House of Representatives, 

Subcommittee on International Economic 

Policy and Trade, 
Committee on International Relations, 

Washington, D.C. 

The Subcommittee met, pursuant to notice at 2:15 p.m., in room 
2172, Rayburn House Office Building, Hon. Ileana Ros-Lehtinen 
[Chairwoman of the Subcommittee] presiding. 

Ms. Ros-Lehtinen. [presiding] The Subcommittee will come to 
order. 

I apologize for arriving late. I had to give a brief remark on a 
luncheon that Congressman Menendez, Mr. Gilman, and I are 
hosting for Cuban political prisoners tomorrow. So I hope that all 
of you could join us in room 2200 at 1 p.m. So I was speaking on 
the Floor and I was unavoidably delayed. Thank you so much for 
your patience and I apologize especially to my Ranking Member. 

Someone once said I used to think that cyberspace was 50 years 
away. What I thought was 50 years away was only 10 years away. 
What I thought was 10 years away, it was already here, I just 
wasn’t aware of it yet. This applies to the debate today on 
encryption where it seems our policy is trying to play a game of 
catch up with our technological advancements. 

The Internet has rapidly expanded as a form in which to conduct 
business transactions, and millions of messages are transferred in 
a matter of seconds across oceans and continents, over barriers of 
languages and culture. Information that used to take hours to 
transfer can now be sent in a matter of seconds. Contracts are com- 
pleted in minutes. Mergers in what seems instantaneously. In an 
increasingly diverse and globalized marketplace, the availability 
and efficiency of electronic businesses is becoming more appealing 
for companies hoping to keep a competitive advantage in inter- 
national trade, maintaining their dominance in or seeking to cap- 
ture the market of brain-power industries. 

As these types of information transfers become more common, 
fear has emerged about their security and about the interception 
of messages and transactions by those who seek to steal or sabo- 
tage. Technology to prevent these types of invasions and violations 
of personal, corporate, and government security by encoding digital 
information already exists. It is what we call encryption. A need for 
commercial encryption rapidly developed with the growth of the 
global economy and, with it, so did concerns over exporting this 
technology to our overseas counterparts. The business community, 

( 1 ) 



2 


the Administration, and law enforcement entities have been at 
odds as to how to best promote American technological products 
abroad while ensuring that our security, both national and eco- 
nomic, are not threatened by the export of American-designed 
encryption products. 

The Administration has stated its concerns about possible 
threats to U.S. national security and to public safety, which they 
feel would arise if criminals and terrorists were to use encryption 
that the U.S. Government could not penetrate. They fear that if 
there were no export controls on encryption and no key recovery 
features on the products we sell in overseas markets, it would fur- 
ther complicate and impede law enforcement efforts at tracking 
down terrorists or other criminals who use computers in their ef- 
forts to promote violent terrorist acts or who commit economic sab- 
otage. 

Opponents of the Administration’s view argue that export con- 
trols cannot prevent access to strong non key recovery encryption 
by criminals because it is widely available elsewhere, including 
over the Internet where it can be easily downloaded from foreign 
company sites. They add that the one thing these controls are en- 
suring is U.S. companies losing market shares to foreign competi- 
tors. Currently, there are no statutory restrictions on the domestic 
use of encryption, but the industry argues that restrictive export 
controls have hampered technological development and will con- 
tinue to thwart U.S. efforts until American companies will lose 
their current technological dominance. There is a need for strong 
encryption for domestic use and cross-border communications and 
transactions. 

While the Administration argues that it has continued to pro- 
mote stronger encryption products of greater than 56 bits, it has 
done so under the condition that these be designed with key recov- 
ery features where a third-party would have access to a key to 
decrypt the information. Further, the Administration’s decision to 
liberalize exports for certain industries ignores the security needs 
of other sectors left unprotected by current restrictions. 

Privacy advocates contend that the Administration has been uti- 
lizing the export control process to influence whether companies de- 
veloped key recovery encryption products by facilitating the expor- 
tation of these products and making it more difficult to export un- 
recoverable encryption products. They further state that the na- 
tional security arguments fail any test of logic that strong 
encryption serves as a deterrent to criminal activity by making it 
difficult for those who engage in espionage to penetrate the system. 

Aside from the fact that all parties agree about the important 
role of encryption in electronic commerce, little consensus has been 
reached on the issue of export controls. The SAFE Act is one of the 
several legislative attempts at codifying existing domestic use pol- 
icy and at liberalizing U.S. export control regulations to compete 
successfully in the global arena. This will be one of the issues we 
hope to cover today as we attempt to debate the future of 
encryption and the effects of controls on our technological market. 

I would like to recognize our Ranking Member, Mr. Menendez of 
New Jersey for his opening statement. Mr. Menendez. 



3 


Mr. Menendez. Thank you, Madam Chair Lady, and I am happy 
to see that we are having this hearing which I think is an incred- 
ibly important one the Committee has jurisdiction over, and one 
that I think is going to he a part of making sure, along with the 
Export Administration Act and a few other issues that this Com- 
mittee has jurisdiction in, that continues to fuel America’s competi- 
tiveness in the future. The decisions that we make are going to af- 
fect American industry and American competitiveness in this new 
millennium. 

Now anyone who has been on the Internet and purchased a book 
from Amazon.com or ordered an airline ticket online is familiar 
with encryption technology. In the information age, encryption 
technology is like a Wells Fargo truck. It keeps your information 
under lock and key and delivers it only to its intended end-user. 
Encryption technology is crucial to the development of electronic 
commerce, which is growing by leaps and bounds. According to 
Under Secretary Reinsch’s testimony, electronic commerce trans- 
actions in 1996 were $12 million, but are projected to reach $2.1 
billion by the year 2000. 

So I think we need to be clear, from the very outset, that the 
encryption debate is not about who does and who does not support 
our national security interests. None of us who support moving 
encryption technology forward believe that we would do anything 
to risk the national security of the United States. I do not care for 
those who would suggest that, in fact, we do. No one is advocating 
a policy that would intentionally compromise U.S. national security 
or the safety of American citizens. The encryption debate is more 
about whether or not it is too late for the U.S. Government and law 
enforcement to control the spread of non key recovery encryption 
products in the U.S. and abroad. 

Clearly, we should consider the value of controlling only the 
strongest encryption technologies. However, the value of controlling 
anything over 56-bit technology when 128-bit technology can be 
downloaded from the Internet, is questionable. American industry 
is rightly concerned about losing market shares to foreign competi- 
tors who have no restrictions on their products. We can be certain 
that if the United States cannot offer non key recovery encryption 
technology overseas, that consumers will buy it from the French, 
Japanese, and Israeli companies who are making similar products. 
Or from American companies who establish companies overseas, 
produce the intellectual property there, and that ultimately means 
job losses here at home as well as revenue losses here at home. 

Now the goal of the FBI, NSA, and law enforcement agencies is 
well-founded. The key recovery system would ensure that they 
have access to the requisite data to snag criminals or track sus- 
pected criminal activities. Yet the proliferation of non key recovery 
technology within the United States and abroad and the rapid 
speed at which this industry is developing leads me to believe that 
the Administration’s policy is too little, too late. 

I look forward to hearing the testimony of our witnesses, in par- 
ticular, the representatives from the FBI and NSA. I would very 
much like to hear your views on current policy and your concerns 
with the Goodlatte legislation. I will do so with an open mind, but 



4 


I believe we cannot turn back the clock as we move forward into 
a new millennium. Thank you, Madam Chairwoman. 

Ms. Ros-Lehtinen. Thank you so much, Mr. Menendez. We are 
thrilled to have the Chairman of our Committee, Congressman Ben 
Gilman of New York, join us. It shows the high level of importance 
that he gives to this issue of encryption. Welcome, Mr. Gilman. 

Mr. Gilman. Thank you. Madam chairman. I want to thank you 
for arranging this hearing with these experts who are all prepared 
to testify before us today. You certainly have a good cross-section 
of views assembled. I welcome this opportunity to attend this very 
important hearing on security in the high-tech era and on the Se- 
curity and Freedom through Encryption Act, the SAFE Act, H.R. 
850, sponsored by the gentleman from Virginia, Mr. Goodlatte, and 
the gentle lady from California, Ms. Lofgren. 

I am pleased that the witnesses before us today come from a 
broad cross-section of the law enforcement community, export con- 
trol and intelligence agencies, human rights and privacy advocates, 
and the private sector representatives. I would like to compliment 
you. Madam Chair, for your holding this hearing at this time and 
taking a leading role on this vitally important issue. 

I would like to remind my colleagues that on Thursday of this 
week at 9 a.m., the Chairman of the Intelligence Committee, Mr. 
Porter, and I will be co-hosting a members-only classified briefing 
on the implications of decontrolling the export of encryption prod- 
ucts. I urge our colleagues on this Committee to attend if they 
would like to have a full perspective on the national security and 
intelligence aspects of the encryption issue. 

In my view, before we begin the process of making sweeping 
changes in our export control laws. Congress should avail itself of 
all the information we can obtain in all venues available to us. 
With the United States participating in a NATO-led military oper- 
ation against Serbia, we should be doubly cautious in this respect 
because of the possibility of terrorist attacks on our interests. I am 
very concerned that the enactment of a SAFE Act would make 
strong encryption all the more available to our adversaries and 
would undermine international efforts to modernize and improve 
multilateral export controls under the Wassenaar arrangement. 

I draw the attention of the Subcommittee Members to the recent 
statement of the International Association of the Chiefs of Police. 
“Unchecked proliferation of encryption technology poses an enor- 
mous danger to both law enforcement and to society as a whole.” 
In a May 12th letter that we received from B’nai Brith Inter- 
national, its president Richard Heideman noted that — and I 
quote — “Unlimited proliferation of nonrecoverable encryption prod- 
ucts may result in their use by terrorist groups, by narcotics traf- 
fickers, by members of organized crime, and other dangerous crimi- 
nals to the detriment of our Nation’s national security and public 
safety.” Mr. Heideman concluded that his organization has strong 
reservations about the Security and Freedom through Encryption 
Act and urges that Congress maintain meaningful export safe- 
guards. 

Unlimited proliferation of this technology only makes the street- 
corner drug dealer further immune from the consequences of his 
and others’ actions. The drug trade costs us billions each year in 



5 


crime, in health care costs, lost worker productivity, destroyed fam- 
ilies, and lost young lives. Let us not contribute to that carnage 
under the guise of greater trade and commerce. 

For those who say that this encryption technology is already 
readily available abroad, they often fail to remind you that foreign 
governments, in most cases, have also retained the right to access 
in protection of their national security interests. Those govern- 
ments are not naive, nor should we be. While we are still waiting 
for the final version of the Cox report on high-tech exports to 
China, many of their recommendations are already public. Among 
them are concrete suggestions on how to strengthen the successor 
regime of the Cold War COCOM export system. Its modern-day 
equivalent, the so-called Wassenaar arrangement has just agreed 
to modernize our multilateral encryption export control system, yet 
the enactment of the SAFE Act would undercut that arrangement 
and the findings of the Cox report. 

Accordingly, I urge my colleagues not to rush to judgment on an 
issue such as this which directly affects our national security and 
our law enforcement needs. I thank the gentle lady for recognizing 
me. 

Ms. Ros-Lehtinen. Thank you so much. Chairman Gilman. Mr. 
Delahunt. 

Mr. Delahunt. I thank you. Madam. I just would welcome my 
colleague from the Judiciary Committee and acknowledge the pres- 
ence of Mr. Goodlatte, one of the primary sponsors. I want to per- 
sonally welcome him. 

Ms. Ros-Lehtinen. Thank you, Mr. Delahunt. Mr. Bereuter. 

Mr. Bereuter. Madam Chairman, it is an important hearing 
today. I have been following this issue for quite some period of time 
now. I agree with many of the comments made by Chairman Gil- 
man. We do need to be concerned about the implications for law 
enforcement and national security and a lot of the best information 
we have in the way of documentation of its importance is classified. 
On the other hand, we need to make sure that we do in the way 
we control things does not have an unnecessary anti-competitive 
factor which is brought to bear. So I will say nothing further, but 
look forward to the testimony of two large and important groups 
of panelists. 

Ms. Ros-Lehtinen. Thank you, Doug. The sponsor of the bill, 
Mr. Goodlatte. We are honored to have you with us today. 

Mr. Goodlatte. Madam Chairman, first let me thank you for 
holding this hearing and for being very gracious in allowing me, a 
non-Member of the Committee, to participate. I would also like to 
thank the Ranking Member, Mr. Menendez, and Chairman Gilman 
for their participation in this and for allowing me to participate as 
well. 

I do have a statement that I would ask to be made a part of the 
record. 

Ms. Ros-Lehtinen. Without objection. 

[The information referred to appears in the appendix.] 

Mr. Goodlatte. I also have an article written by Congressman 
Chris Cox, the Chairman of the Cox Commission, who advocates a 
strong export policy with regard to exporting encryption, making it 
more available, entitled “China: Export of Technology Would be 



6 


Liberating Force,” in which he advocates the export of strong 
encryption. 

Madam Chairman, this much-needed bipartisan legislation cur- 
rently has 253 cosponsors, about 110 Democrats, about 140 Repub- 
licans; a majority of the Republican and Democratic leadership in 
the House are cosponsors as are two-thirds of the Members of the 
International Relations Committee and all but 4 Members of this 
Subcommittee, and it accomplishes several important goals. First 
and foremost, strong encryption in the hands of the good guys, if 
you will, helps to prevent a number of the concerns that have been 
raised by some of the Members of the Committee, which are legiti- 
mate concerns by law enforcement and national security, but mak- 
ing sure that we have strong encryption to protect e-mail, medical 
records, financial transactions, copyrighted material, industrial 
trade secrets, and a whole host of other areas, as well as pre- 
venting major terrorist and criminal activities such as breaking 
into the New York Stock Exchange or the Chicago Board of Trade 
or a nuclear power plant or the electric power grid of the United 
States are all very positive purposes that are hindered by a policy 
that discourages the use of strong encryption and which is the pol- 
icy that we have today. 

The gentleman from New Jersey mentioned the use of encryption 
by companies like Amazon.com and others who do business on the 
Internet. Amazon.com cannot use the 128-bit strong encryption 
that they use for domestic sales internationally, unless they ac- 
quire it from a foreign vendor. This, to me, seems to be a ludicrous 
consequence of the policy that we currently confront in this coun- 
try. 

I’ll give you another personal experience that I came across re- 
cently when I led a congressional delegation to Europe to deal with 
electronic commerce issues. In Brussels, in meeting with the dep- 
uty chief of the U.S. mission there, he indicated to me that he has 
worked with the National Security Agency and the FBI and other 
agencies on a regular basis on issues like this. But his own per- 
sonal experience colored his view of the need for significant change 
in our export control laws when he told me that he bought a $2,000 
computer system which was shipped to him from the United States 
and he then received a phone call from the company that sold it 
to him telling him they could not send him the software because 
it violated American export control laws. So he went down the 
street to a little shop in Brussels and purchased the software that 
he needed there. 

Today there are more than 20 significant strong companies in 
Europe creating encryption software that are major competitors to 
the United States that did not exist just a few years ago. What we 
are confronted with is a circumstance in which we are already be- 
ginning to see significant erosion in the U.S. dominance of the soft- 
ware and hardware computer industry because of the fact that 
most major software and hardware today has strong encryption 
built into it, and if you can’t export it out of the United States, you 
are better off dealing with a company overseas because if you are, 
for example, a company with branches in London, Paris, Tokyo, 
New York, and San Francisco, you can buy these products domesti- 
cally — there is no limitation on the domestic use of strong 



7 


encryption — and use them in your New York and San Francisco of- 
fices, but you can’t send them to your London, Paris, and Tokyo of- 
fice. 

However, if you buy it from a German company, to use an exam- 
ple, there are no import restrictions on strong encryption. So you 
can import the German products, use it at your New York and San 
Francisco offices and also send it to your London, Paris, and Tokyo 
offices. This is the crux of the problem that we have in not facing 
up to the fact that encryption is not like other items that are 
strongly suitable for export controls. 

Bombs, jets, mainframe computers are all products that are man- 
ufactured in a few places, sent to a few places, and the export of 
the products from this country can be a choke hold on making sure 
they don’t go to inappropriate places. But encryption is not a tan- 
gible thing. It is a mathematical algorithm. It is little ones and 
zeros going through fiber-optic wires and by satellite all over the 
world. So it is my hope that we will be able to move forward with 
this legislation, which will help to create and protect American 
jobs, which will help to fight crime in a whole host of ways, and 
which will protect the privacy of law-abiding American citizens and 
I very much thank you for the opportunity to participate today. 

Ms. Ros-Lehtinen. Thank you so much. Bob. Congressman Burr. 

Mr. Burr. Thank you. Madam Chairman. Let me just say that, 
my good friend Mr. Goodlatte, I had hoped that after we dispensed 
with this in Commerce last year that law enforcement and the 
technology businesses would find the agreement that could move 
forward together. Unfortunately, I don’t have the impression that 
we are there. That as you talked about the inability to export soft- 
ware, I think a year from now, with the new chips, we will, in fact, 
find ourselves not exporting the computer. I think we have some 
bigger problems to deal with. 

I would suggest today to my colleagues that the way to find the 
answer is not to dig our heels in the sand and say we can’t move 
from where we are. In fact, the challenge to each of us is to find 
where that balance is, to move there, and not to find new ways to 
drive technology offshore where, for a short-term gain, we do sig- 
nificant long-term damage to not only the development of business 
in this country and the creation of jobs, but to our national security 
which is an area that we are all sensitive to. 

Technology has few boundaries, as my good friend Mr. Goodlatte 
referred to, and our ability to understand technology’s flow around 
the world is, in fact, a significant key to our understanding of 
where we move with legislation. Madam chairman, I am only hope- 
ful that all Members will encourage not only the business sector, 
but the law enforcement sector to work a little bit harder to try to 
find a compromise, one that facilitates the business needs of the fu- 
ture, the development of technology, and also provides some assur- 
ances of law enforcement’s access. Clearly, if technology is that ad- 
vanced in intelligence, I am hopeful that somebody will transmit an 
updated map to our intelligence agencies. Maybe we won’t have 
quite the problem that we have had over the past week. 

Technology is a tremendous tool. It is a tremendous tool for every 
person in the world. It will become more the tool for opening up 
not only closed markets, but closed societies in the future. We have 



8 


to find a way to make this work, to make it work for all who have 
a concern and to utilize this tool to its fullest. I am confident that 
this hearing and many others that we will have this session of Con- 
gress will help us to get to that legislation. I thank the Chair and 
I yield hack. 

Ms. Ros-Lehtinen. Thank you. Mr. Radanovich. 

Mr. Radanovich. Thank you, Madam Chair, I will be brief. I 
would like to submit a statement for the record. 

Ms. Ros-Lehtinen. Without objection. 

[The information referred to appears in the appendix.] 

Mr. Radanovich. Thank you. But do want to state my wish that 
we get a bill forward sometime this session that would open up 
markets for U.S. business and, at the same time, preserve our se- 
curity. I appreciate the chairwoman for having this hearing and 
hopefully we can move this issue forward and get it dealt with. 
Thank you very much. 

Ms. Ros-Lehtinen. Thank you so much. Mr. Rohrabacher. 

Mr. Rohrabacher. I would just like to say that Mr. Goodlatte 
has put a lot of effort into this and is a very patriotic American 
and where we have had our disagreements in the past, I think that 
he is using good judgment here and I am very happy to be a co- 
sponsor of this bill. 

Ms. Ros-Lehtinen. Thank you. Thank you so much for your pa- 
tience, all of you in the audience and our panelists as well. We will 
first hear from Bill Reinsch, who currently serves as the under sec- 
retary for export Administration in the Department of Commerce. 
As head of this bureau, Mr. Reinsch is charged with administering 
and enforcing the export control policies of the U.S. Government. 
Before joining the Department of Commerce, he served on the 
staffs of several Members of Congress who are extensively involved 
with international trade issues. He has testified before this Sub- 
committee many times and we are glad to have you back. Bill. 
Thank you. 

Next will be Barbara McNamara, who is Deputy Director of the 
National Security Agency. From 1995 to 1997, Ms. McNamara 
served as the Deputy Director of operations. National Security 
Agency of the Central Security Service. Prior to that, she served as 
the NSA representative to the Department of Defense, as well as 
chief of the Office of International Economics and Global Issues in 
the Operations Organization. Ms. McNamara began her career in 
the National Security Agency as a linguist and served in a variety 
of analytical and management positions in the Operations Office. 
Thank you so much for being with us. 

Ronald Lee is the associate deputy attorney general for the De- 
partment of Justice. He is currently the Acting Director of the Ex- 
ecutive Office of National Security at the Department. He has 
served as the program manager for the development of the Admin- 
istration’s 5-year counter terrorism and technology crime plan. In 
1994, Mr. Lee was appointed as general counsel of the National Se- 
curity and served as their chief legal officer representing the NSA 
in all legal matters. Welcome, Mr. Lee, to our panel. 

We also have a representative from the International Association 
of Chiefs of Police, who is pro-export controls, but he does not rep- 
resent the Administration. Mr. Gene Voegtlin is the legislative 



9 


counsel of the International Association of Chiefs of Police. In this 
position, he is responsible for directing the day-to-day implementa- 
tion of the Association’s government affairs program. Prior to join- 
ing the Association, Mr. Voegtlin served as the Director of legisla- 
tive and political affairs for the National Federation of Federal Em- 
ployees. His prior experience also includes serving as a legislative 
representative of the Federal Managers Association and the Amer- 
ican Chemical Society. We welcome you, Mr. Voegtlin, today. 

We will begin with the Honorable Mr. Reinsch. Thank you. Bill. 

STATEMENT OF WILLIAM REINSCH, UNDER SECRETARY OF 
COMMERCE, BUREAU OF EXPORT ADMINISTRATION 

Mr. Reinsch. Thank you very much. Madam chairman. It is a 
pleasure to be here with you again to testify on the direction of the 
Administration’s encryption policy. I would appreciate. Madam 
chairman, if you would put my full statement in the record. 

Ms. Ros-Lehtinen. Correct. Without objection, we will glad to 
put all of your statements into the record. 

Mr. Reinsch. Thank you. Notwithstanding the comments of some 
of your colleagues. Madam Chairman, I think we have made a 
great deal of progress in this area since the last time I was here. 
But it is still, nevertheless, obvious that encryption remains a hotly 
debated issue. 

The Administration continues to support a balanced approach 
which considers privacy and commerce, as well as protecting impor- 
tant law enforcement and national security equities. We have been 
consulting closely with industry and its customers to develop policy 
that provides that balance in a way that also reflects the evolving 
realities of the marketplace. The Internet and other digital media 
are becoming increasingly important to the conduct of international 
business. Mr. Menendez used one of my better statistics and so I 
think I will skip over the other ones in my statements and you can 
read them. But I think there is no disagreement over that point, 
in any event. 

Clearly, many service industries, which traditionally required 
face-to-face interaction, such as banks, other financial institutions, 
and retail merchants, are now providing cyberservice. Customers 
can now sit at their home computers and access their banking and 
investment accounts or buy a winter jacket with a few strokes of 
their keyboard. Furthermore, most businesses maintain their 
records and other proprietary information electronically. They now 
conduct many of their day-to-day communications and business 
transactions via the Internet and e-mail. An inevitable byproduct 
of this growth of electronic commerce is the need for strong 
encryption to provide the necessary secure infrastructure for digital 
communications, transactions, and networks. 

Developing a new policy in this area has been complicated be- 
cause we do not want to hinder encryption’s legitimate use, par- 
ticularly for electronic commerce yet, at the same time, we want to 
protect our vital national security foreign policy and law enforce- 
ment interests. During the past 3 years, we have learned that 
there are many ways to assist in lawful access. There is no one- 
size-fits-all solution. On September 22nd of last year, we published 
a regulation implementing our decision to allow the export under 



10 


a license exception of unlimited strength encryption to banks and 
financial institutions located in countries that are Members of the 
Financial Action Task Force or which have effective anti-money 
laundering laws. 

The further result of our ongoing dialogue with industry was an 
update to our encryption policy which the Vice President unveiled 
last September 16th. The regulations implementing the update 
were published on December 31. This will not end the debate over 
encryption controls, but we believe the regulation addresses some 
private sector concerns by opening large markets and further 
streamlining exports. The update reduced controls on exports of 56- 
bit products and, for certain industry sectors, on exports of prod- 
ucts of unlimited bit length, whether or not they contain recovery 
features. 

In developing our policy, we identified key sectors that can form 
the basis of a secure infrastructure for communicating and storing 
information: banks, a broad range of financial institutions, insur- 
ance companies, online merchants, and health facilities. Many of 
the updates permit the export of encryption to these end-users 
under a license exception. The policy also allows for exports of 56- 
bit software and most hardware to any end-user under a license ex- 
ception; exports of strong encryption, including technology to U.S. 
companies and their subsidiaries, under a license exception, to pro- 
tect important business proprietary information; and approval 
under a licensing arrangement of recovery-capable or recoverable 
encryption products of any key length to recipients located in 46 
countries. Such products include systems that are managed by a 
network or corporate security administrator. 

In December, through the hard work of Ambassador David 
Aaron, the President’s special envoy on encryption, the Wassenaar 
arrangement’s members agreed on several changes related to 
encryption controls. Specific changes to multilateral encryption con- 
trols included removing them on all encryption products at or 
below 56-bits and on certain consumer items regardless of key 
length. 

Most importantly — and I want to take a moment on this. Madam 
chairman — the Wassenaar members agreed to remove encryption 
software from Wassenaar’s general software note and replace it 
with a new cryptography note. Drafted in 1991 when banks, gov- 
ernments, and militaries were the primary users of encryption, the 
general software note allowed countries to permit the export of 
mass-market encryption software without restriction. The GSN was 
created to release general purpose software used on personal com- 
puters, but it inadvertently encouraged some signatory countries to 
permit the unrestricted export of encryption software. It was essen- 
tial to modernize the general software note and close a loophole 
that permitted the uncontrolled export of encryption with unlimited 
key length. 

Under the new note, mass-market hardware has been added and 
a 64-key length or below has been set as an appropriate threshold. 
This will result in government review of the dissemination of mass- 
market software of up to 64-bits. I want to be clear that this does 
not mean encryption products of more than 64-bits cannot be ex- 
ported. Our own policy permits that as does the policy of most 



11 


other Wassenaar members. It does mean, however, that such ex- 
ports must be reviewed by governments consistent with their na- 
tional export control procedures. 

Finally, Madam chairman, with respect to H.R. 850, the Admin- 
istration opposes this legislation, as we did its predecessor in the 
last Congress. The bill proposes export liberalization far beyond 
what the Administration can entertain and which would be con- 
trary to our international export control obligations. Despite some 
cosmetic changes the authors have made, the bill in letter and spir- 
it would destroy the balance we have worked so hard to achieve 
and would jeopardize our law enforcement and national security in- 
terests. 

I want to reiterate that this Administration does not seek con- 
trols or restraints on domestic manufacture or use of encryption. 
We continue to believe the best way to make progress on ways to 
assist law enforcement is through a constructive dialogue. As a re- 
sult, we see no need for the statutory provisions contained in the 
bill. 

Second, once again, we must take exception to the bill’s export 
provisions. In particular, the references to lEEPA, as I understand 
them, might have the effect of precluding controls under current 
circumstances and in any future situation where the EAA had ex- 
pired and the definition of general availability, as in the past, 
would preclude export controls over most software. In addition, 
whether intended or not, we believe the bill as drafted could inhibit 
the development of key recovery, even as a viable commercial op- 
tion for those corporations and end-users that want it in order to 
guarantee access to their data. The Administration has repeatedly 
stated that it does not support mandatory key recovery, but we en- 
dorse and encourage development of voluntary key recovery sys- 
tems and, based on industry input, we see growing demand for 
them, especially corporate key recovery, that we do not want to cut- 
off. 

The Administration does not seek encryption export control legis- 
lation nor do we believe such legislation is needed. The current reg- 
ulatory structure provides for balanced oversight of export controls 
and the flexibility needed so that it can continue to promote our 
economic foreign policy and national security interests while ad- 
justing to advances in technology. We believe this is the best ap- 
proach to an encryption policy that promotes secure electronic com- 
merce, maintains U.S. leads in information technology, protects pri- 
vacy, and protects public safety and national security interests. 

Thank you. Madam chairman. 

Ms. Ros-Lehtinen. Thank you so much. 

Ms. McNamara. 

STATEMENT OF BARBARA MCNAMARA, DEPUTY DIRECTOR, 
NATIONAL SECURITY AGENCY 

Ms. McNamara. Good afternoon. Madam Chair. Thank you for 
the opportunity to appear today. I would like to begin briefly by in- 
troducing the National Security Agency and its mission and explain 
why this issue is so important to us. 

NSA secures information systems for the Department of Defense 
and other U.S. Government agencies and provides information de- 



12 


rived from foreign signals to a variety of users in the Federal Gov- 
ernment. It is the signal’s intelligence role that I want to address 
today. NSA intercepts and analyzes the communications signals of 
foreign adversaries to produce critically unique and actionable in- 
telligence reports for our national leaders and military com- 
manders. Very often, time is of the essence. Intelligence is perish- 
able. It is worthless if we cannot get it to the decisionmakers in 
time to make a difference. 

Signals intelligence proved its worth in World War II when the 
United States broke the Japanese naval code and learned of their 
plans to invade Midway Island. This intelligence significantly aided 
the U.S. defeat of the Japanese fleet and helped shorten the war. 
NSA provides the same kind of intelligence support today in the 
former Yugoslavia and other locations around the world wherever 
U.S. military forces are deployed. 

NSA signals intelligence efforts also support policymakers and 
law enforcement. Demands on NSA for timely intelligence have 
only grown since the breakup of the Soviet Union and have ex- 
panded into national security areas of terrorism, weapons prolifera- 
tion, and narcotics trafficking. Today, many of the world’s commu- 
nications are still unencrypted. Historically, encryption has been 
used primarily by governments and the military. It was employed 
for confidentiality and hardware-based systems and was often dif- 
ficult to use. As encryption moves to software-based implementa- 
tions and the infrastructure — and I underline infrastructure — de- 
velops to provide a host of encryption-related security services, 
encryption will spread and be widely used by other foreign adver- 
saries that have traditionally relied upon unencrypted communica- 
tions. As a result, much of the crucial information we are able to 
provide today could quickly become unavailable to the decision- 
maker. 

As you will hear from my colleague from the Department of Jus- 
tice, it is important to understand that the needs of national secu- 
rity and the needs of law enforcement are different and must be 
addressed separately. At NSA, we are focused on preserving export 
controls on encryption to protect national security. As you consider 
the SAFE Act, it is very important to understand the significant ef- 
fect certain provisions of this bill will have on national security. 

The SAFE Act would mandate the immediate decontrol of most 
commercial computer software encryption and specified hardware 
encryption exports. This will greatly complicate our exploitation of 
foreign targets and the timely delivery of usable intelligence be- 
cause it will take too long to decrypt a message if, indeed, we can 
decrypt it at all. This bill would also deprive us of the opportunity 
to conduct a meaningful review of a proposed encryption export. 
Historically, this review process has provided us with valuable in- 
sight into what is being exported, to whom, and for what purpose. 
Without this review and the ability to deny an export application 
if necessary, it will be impossible to control exports of encryption 
to countless bad guys. 

The SAFE Act would permit exports of encryption based on prod- 
ucts comparable to those being exported for foreign financial insti- 
tutions. But using the special treatment afforded banks and finan- 
cial institutions which are well-regulated and have a good record 



13 


of providing access to lawful requests for information, as the basis 
for a blanket approval of export to all other end-users in a country 
would eliminate important national security end-use consider- 
ations. The criteria for exporting encryption to these institutions 
should not be the basis for decontrolling other encryption exports. 

The SAFE Act also eliminates control for computer hardware 
with encryption capability if it is found that the product is avail- 
able in the overseas market. The apparent availability of a product 
in a country without regard to its actual performance capabilities 
or without restrictions on end-users or end-uses will have the prac- 
tical effect of forcing the decontrol of such exports, a condition that 
is unacceptable to national security. 

We believe that we need a balanced encryption policy that con- 
siders the needs of national security and industry. The recent U.S. 
and Wassenaar policy updates are positive moves in that direction. 
You will hear from others that industry is prohibited from export- 
ing anything greater than 56 bits. That is patently wrong. Last 
year’s update allows vendors to export unlimited-strength 
encryption, even 128 bits, to specified market sectors in a set of 
countries that represents approximately 70 percent of the world’s 
economies or did at the time and that redresses the issue of Ama- 
zon.com that Congressman Goodlatte referred to. 

This is an example of the kind of advances possible under the 
current regulatory structure which provides greater flexibility than 
a statutory structure would. Let me make it clear. We want U.S. 
companies to effectively compete in world markets. In fact, it is 
something that we strongly support as long as it is done consistent 
with national security needs. 

In summary, the SAFE Act will harm national security by mak- 
ing NSA’s job of providing critical actionable intelligence to our 
leaders and military commanders difficult if not impossible, thus 
putting our Nation’s security at considerable risk. The tlnited 
States cannot have an effective decisionmaking process, or a strong 
fighting force, or a responsive law enforcement community, or a 
strong counterterrorism capability unless the information required 
to support them is available in time to make a difference. The na- 
tion needs a balanced encryption policy that allows U.S. industry 
to continue to be the world’s leader, but that also protects the secu- 
rity of our Nation. Thank you. Madam chairman. 

Ms. Ros-Lehtinen. Thank you so much. 

Mr. Lee. 

STATEMENT OF RON LEE, ASSISTANT ATTORNEY GENERAL, 
NATIONAL SECURITY, DEPARTMENT OF JUSTICE 

Mr. Lee. Madam Chair, I would like to emphasize some of the 
points in my written statement for the Subcommittee in my brief 
remarks this afternoon. I would like to be clear, because the views 
of the Department of Justice on encryption and export controls are 
often caricatured or misrepresented. 

The Department of Justice supports the spread of strong recover- 
able encryption to protect the privacy of American citizens and to 
protect the security of our information infrastructure. This is not, 
after all, a debate about whether the U.S. national interest is 
served by the success of U.S. companies abroad. We fully accept 



14 


and support that premise. We are, however, deeply concerned 
about the threat to public safety posed by the widespread distribu- 
tion and use of nonrecoverable encryption. Law enforcement agen- 
cies, both in the United States and abroad — and we work closely 
with many law enforcement agencies abroad — have already begun 
to see cases where encryption has been used in efforts to conceal 
criminal activity. The number and complexity of these cases will 
certainly increase as encryption proliferates and, I emphasize, as 
encryption increasingly becomes an integral part of mass-market 
software items and network-based information services. 

Thus, we cannot just extrapolate from past examples where 
encryption has posed a problem. We must, as a government, in 
partnership with the Congress, take this moment to realize that 
encryption is becoming a part of our commerce and make respon- 
sible public choices. 

Faced with the use of nonrecoverable encryption, agents would 
not be able to make effective use of search warrants, wiretap or- 
ders, and other legal processes that have been authorized by Con- 
gress and ordered by the courts. These tools are absolutely essen- 
tial to effective law enforcement investigations today. Without 
these tools, law enforcement would find it increasingly difficult, if 
not impossible, to obtain important evidence of criminal activity 
and to gather and develop and present the evidence needed in 
criminal prosecutions. 

In the face of these challenges, the Department of Justice sup- 
ports the carefully balanced approach to export controls that the 
Administration is actively pursuing. The Chair asked about 
progress in the last year. I would like to report that the Attorney 
General, along with the Director of the Federal Bureau of Inves- 
tigation and other government officials have been actively engaging 
industry leaders in a continuing, cooperative, and positive dialogue. 
This dialogue has continued throughout the Department and the 
FBI at several different levels. 

We have gained a lot from the dialogue. We have both explained 
the public safety concerns that we have from the spread of non- 
recoverable encryption and we have learned about innovative solu- 
tions that industry has presented. It was in part this collaboration 
and dialogue that led us to be able to participate in the active re- 
port in the export control updates announced by the Administra- 
tion last September. We thank the Members of Congress who have 
helped to facilitate this dialogue and we will work hard to make 
sure that these discussions continue. We believe that the current 
balanced approach is the most conducive approach to continuing 
this open dialogue with industry. 

In this connection, the rapid elimination of export controls, as 
proposed in H.R. 850, the Security And Freedom through 
Encryption Act, would upset this balance dramatically. We believe 
that passage of the SAFE Act would cause the further spread of 
unbreakable encryption products that will be used by terrorist or- 
ganizations and others for criminal purposes. 

Of course, we recognize that law enforcement is already coming 
across nonrecoverable encryption by criminals. We are not standing 
still. In order to protect public safety, we are continuing to develop 
our own technical expertise. The Department of Justice has begun 



15 


initiatives such as the funding of a centralized technical resource 
within the FBI which will support Federal, State, and local law en- 
forcement personnel in developing a broad range of expertise, tech- 
nologies, and tools to respond directly to the threat posed by un- 
breakable encryption when used by criminals. 

We look forward to working with Congress to develop this re- 
source. However, I must emphasize that no technology, no set of 
technologies, no tool box offers a silver bullet. The widespread use 
of nonrecoverable encryption by criminals would quickly overwhelm 
whatever technical response and capabilities we could develop. In 
summary, we believe that the Administration’s approach balances 
the need for secure private communications and electronic com- 
merce with the equally important need to protect the safety of the 
public against threats from terrorists and criminals. We look for- 
ward to working with you on this important issue. Thank you. 

Ms. Ros-Lehtinen. Thank you so much. 

Mr. Voegtlin. 

STATEMENT OF GENE VOEGTLIN, ESQ., LEGISLATIVE COUN- 
SEL, INTERNATIONAL ASSOCIATION OF CHIEFS OF POLICE 

Mr. Voegtlin. Thank you. Good afternoon. Madam Chair, Chair- 
man Gilman, and Members of the Subcommittee. I am pleased to 
be here today on behalf of the International Association of Chiefs 
of Police. Our president, Ronald Neubauer, had hoped to be here 
today, but, unfortunately, he is out of the country and therefore 
cannot attend. 

I would like to briefly tell you about the lACP and then summa- 
rize our statement. Founded in 1893, the lACP, with 17,000 mem- 
bers in 112 countries, is the world’s oldest and largest association 
of law enforcement executives. Our mission throughout the history 
of the association has been to identify, address, and work to pro- 
vide solutions to urgent law enforcement issues. As I appear before 
you today, it is clear that robust, nonrecoverable encryption tech- 
nology and the threat it poses to the ability of law enforcement 
agencies to perform their mission looms as one of the most urgent 
and important issues facing our members in the communities they 
serve. 

The lACP’s position on the encryption issue is clear. We strongly 
believe that the unchecked proliferation of robust nonrecoverable 
encryption technology poses an enormous danger to effective law 
enforcement, public safety, and to society as a whole. Therefore, the 
lACP believes that any encryption legislation that is enacted must 
protect the ability of law enforcement agencies to perform court-au- 
thorized electronic surveillance and the search and seizure of crimi- 
nally related information stored in computers. 

In addition, the lACP believes that it is of vital importance to 
maintain the stringent export controls on robust nonrecoverable 
encryption products. The relaxation of export controls would likely 
result in the widespread proliferation of unbreakable encryption 
products which would severely limit if not completely destroy the 
ability of law enforcement agencies to effectively investigate and 
apprehend international terrorists and criminals. This is why the 
lACP was pleased last December when 33 nations signed on to the 



16 


Wassenaar export control agreement to impose or expand existing 
controls on encryption and other data scrambling technologies. 

I would like to note, however, that the lACP’s position on the 
need for law enforcement access does not mean that we oppose all 
uses of encryption technology. The lACP certainly recognizes that 
there is a legitimate need to use encryption products as a tool to 
protect electronic commerce and individual privacy. Indeed, law en- 
forcement agencies themselves have a need for secure communica- 
tions and information storage. Nevertheless, we must balance these 
legitimate concerns with the threat we face by providing criminals, 
drug lords, and terrorists with an impenetrable means of commu- 
nicating to their criminal associates. 

In addition, the lACP is aware of the economic issues involved 
in the manufacture and sale of encryption technology and products. 
However, we believe that we must consider the enormous economic 
damage that is being done to the United States economy as a result 
of crime and related consequences. For example, experts have esti- 
mated that the economic loss to the United States as a result of 
drug-related crime, accidents, medical care, and the loss of produc- 
tivity reaches upward to $50 billion a year. 

Finally, I would like to stress that providing law enforcement 
with a means to access the plain text of encrypted information 
would not represent an expansion of the police power to conduct 
searches or infringement on the Fourth Amendment protections 
against unreasonable searches. Law enforcement agencies would 
still be required to follow the current procedures that are necessary 
to gain access to other information that is used in the commission 
of crime. Providing for law enforcement access is entirely consistent 
with the constitutional safeguards of the Fourth Amendment. 

What we would be doing by ensuring that law enforcement can 
access the plain text of encrypted criminal information is simply 
modernizing our current search warrant laws to keep pace with ad- 
vances in computer technology. It is imperative that Congress take 
immediate steps to protect the capabilities of law enforcement. 
Electronic surveillance and wiretaps are two of the most effective 
tools in law enforcement’s arsenal. Over the years, numerous ar- 
rests, prosecutions, and convictions have been secured against 
criminals because of court-authorized surveillance and wiretaps op- 
erations. 

It is our belief that if Congress allows a robust encryption tech- 
nology to be sold without providing for a means of law enforcement 
plain text access, it would effectively be stripping law enforcement 
agencies of their ability to successfully perform electronic surveil- 
lance, wiretaps, and the search and seizure of criminal information 
stored in computers. Therefore, before any legislation is enacted, 
the lACP urges Congress to ensure that it contain provisions that 
would provide law enforcement with immediate and complete plain 
text access to information encrypted in the furtherance of criminal 
activity. The inclusion of such provisions are absolutely vital if we 
are to preserve the investigative capabilities of our Nation’s law en- 
forcement agencies. 

If Congress fails to provide law enforcement with this necessary 
access, law enforcement agencies will be further behind the tech- 
nology curve. Terrorists, drug lords, and other criminal elements 



17 


will have the upper hand over law enforcement and, as a result, 
the personal safety and security of all Americans and their prop- 
erty will he endangered. Thank you. 

Ms. Ros-Lehtinen. Thank you so much to all of our panelists 
and we are proud to begin our series of questions by our Chairman 
of the International Relations Committee, Mr. Gilman. 

Mr. Gilman. Mr. Lee, how many major organized crimes cases 
have made without court-authorized wiretap evidence? Can you 
give us a rough estimate? 

Mr. Lee. Chairman Gilman, each major organized crime case, 
like any other investigation of a major crime, is done with a com- 
bination of law enforcement investigative tools. Law enforcement 
brings to bear the entire set of tools to investigate, apprehend, and 
prosecute these criminals. In each of these investigations, court-au- 
thorized wiretap operations and the evidence derived from them 
are absolutely essential to the success of the enterprise. By that I 
would mean both the successful investigation of the organized 
crime matter and also the successful prosecution and marshalling 
of evidence against the defendants. 

Mr. Gilman. Thank you. Mr. Voegtlin, do you agree with that as- 
sessment? 

Mr. Voegtlin. Yes, absolutely. 

Mr. Gilman. How often in cases such as kidnappings and 
planned terrorist bombs has the court-authorized wiretap pre- 
vented the loss of life? Mr. Lee. 

Mr. Lee. Mr. Chairman, there have been numerous cases where 
court-authorized wiretaps have been used by law enforcement offi- 
cials to prevent and solve — to prevent loss of life and to solve the 
cases. I would add to that list not just terrorism and kidnapping, 
but also cases such as child pornography and other exploitation of 
children. It is an absolutely essential tool. 

Mr. Gilman. What about the timing of information that you re- 
ceive from wiretaps, too? Is that critical to the cases involved? 

Mr. Lee. Mr. Chairman, the timing, the ability to quickly derive 
the plain text, the meaning from the wiretaps on a real-time in- 
stantaneous basis is absolutely critical, both to saving lives and 
also to apprehending criminals and furthering the investigation. 

Mr. Gilman. Thank you. Mr. Reinsch, what effect would the im- 
plementation of the SAFE Act have on the Wassenaar arrange- 
ment? 

Mr. Reinsch. Mr. Gilman, first it would put us in violation of it. 
It is inconsistent with it and, second, I believe it would undercut 
our efforts to obtain stronger multilateral controls. It would prob- 
ably result in our allies abandoning their efforts to control these 
products. 

Mr. Gilman. Could you tell us, Mr. Reinsch, do the provisions in 
the SAFE Act relating to terrorist countries provide effective con- 
trol for the Administration to stop the export of encrypted products 
to those countries? 

Mr. Reinsch. That is a more complicated question than the 
Wassenaar question, Mr. Gilman. We believe generally no, but it 
is a more — that they do not help us provide effective control, but 
it is a more complicated legal analysis. The bill contains two provi- 
sions that contradict each other. One which addresses this question 



18 


specifically and one which generally removes licensing authority for 
what we believe would be most mass-market products. Even if we 
were to try to reconcile those conflicting provisions by construing 
the stricter one as ruling, we have some concerns about the way 
that it is drafted. It imposes, not with respect to countries, but 
with respect to individuals — individual terrorists or individual ter- 
rorist organizations — a substantial evidence test which is quite a 
high test, an unusual one for the kind of system that would make 
it much more difficult for us to identify and list, meeting the stand- 
ards of the Act, terrorist organizations and proscribe exports to 
them. 

Mr. Gilman. Just one last question: Mr. Voegtlin, what would 
encryption without access do to local law enforcement’s ability to 
fight the drug war? 

Mr. Voegtlin. Basically, we are concerned that it would all but 
eliminate our ability to fight the drug war. Currently — and it is be- 
coming on an ever-increasing basis — State police directors and local 
law enforcement agents are coming across encryption in an ever- 
increasing fashion. Right now what we are looking at are situations 
where you have drugs being imported into this country and the 
command and control is taking place overseas and they are using 
encrypted communications to talk to the subordinates in this coun- 
try, to talk about distribution and other coordination efforts. With- 
out being able to access this information through wiretaps, the 
ability for State and local law enforcement agencies to work in co- 
operation with the Federal agencies on the drug issue will be se- 
verely limited if not completely destroyed. 

Mr. Gilman. Thank you and thank you. Madam chairman. 

Ms. Ros-Lehtinen. Thank you so much, Mr. Gilman, for being 
with us. Mr. Menendez. 

Mr. Menendez. I thank you. Madam Chairlady, I appreciate this 
panel’s testimony. Before I ask my questions, I want to ask Mr. 
Lee, is your division of the Justice Department National Security? 
Is that my understanding? 

Mr. Lee. Sir, I am a Senior Member of the Deputy Attorney Gen- 
eral’s Office. One component of the Deputy Attorney General’s Of- 
fice is called the Executive Office of National Security. I am the 
acting head of that component, but I also have other responsibil- 
ities in the Office of the Deputy Attorney General. 

Mr. Menendez. That is not the same division of the Justice De- 
partment that declared the air space over Camden Yards to ban- 
ners talking about freedom and democracy our national security 
risk, is it? 

Mr. Lee. I am not familiar with that matter. 

Mr. Menendez. Because that really colored my perception of 
what national security is. Let me ask the panel the following. My 
friend and colleague from New Jersey, a new Member of Congress, 
Rush Holt, is a rocket scientist. His constituents have a bumper 
sticker in his district that says, “My Congressman is a rocket sci- 
entist.” Now, I am not a rocket scientist. I am just a poor old coun- 
try lawyer, ^^at I don’t have an understanding about 

I am not a professor either of the law. But what I really have 
a problem listening to the testimony here about is one basic set of 



19 


circumstances which seems to be glossed over and maybe all of you 
can help. 

No. 1 is, there is no domestic control of encryption. Is that a cor- 
rect statement? 

Mr. Reinsch. That is correct. 

Mr. Menendez. So I, as an American, or for that fact, someone 
from abroad who is visiting here could buy this domestically. I 
guess taking it back home might be a violation of the law. Is that 
the case? 

Mr. Reinsch. Yes, in general. There would be a personal use 
issue, but if you were taking it back to give to somebody else or 
to sell that would 

Mr. Menendez. If I wanted to buy and use it and take it back. 
But I don’t even have to do that, as I understand it. This tech- 
nology exists by a variety of countries — the Japanese, the Israelis, 
French, others — who have all of this capacity at its highest levels, 
as I said in my opening statement, in the Internet, you can 
download 128 bits. Now I heard Ms. McNamara say that we don’t 
control, we, in fact, permit under the new regulations over 56 bits. 
But that’s if you have, in fact, a key recovery system. If you have 
a non key recovery system, you can’t do that, can you? 

Mr. Reinsch. No. Maybe I can clarify that part. I would like to 
have Ms. McNamara talk a little bit about the availability issue if 
we have time for that. The policy permits the export in a variety 
of circumstances that my statement went over fairly quickly of 
more than 56-bit encryption. In fact, encryption without bit length 
limit and without key recovery features can be exported to U.S. 
subsidiaries, for example, to health care organizations, to banks, to 
financial institutions, and so on. 

Mr. Menendez. Yes. Outside of that specific category — and I 
have a chart here: the banks, financial, health insurance, health 
care 

Mr. Reinsch. Right. 

Mr. Menendez. Outside of that category. 

Mr. Reinsch. No. 

Mr. Menendez. If you want to, you could not. 

Mr. Reinsch. Except via — there is a whole list in that category, 
more than the ones I mentioned, but outside of what I assume is 
on your chart, the only way high-level encryption, 128-bit or what- 
ever, could be exported would be pursuant to an individual license 
that we would issue. An exporter can apply for anything they want 
and we will consider any application they submit, but it would take 
an individual license outside of those categories. 

Mr. Menendez. My point, Mr. Secretary — and for members of 
the panel, maybe you can help me here, elucidate to me — the point 
is whether you buy it here or domestically and you have this capac- 
ity and you illegally — ^because we are talking about illicit activities 
that we are concerned about and national securities and espionage 
and all of that — bottom line is whether you buy it domestically or 
whether you buy it abroad and use it for an illicit purpose here in 
the United States, what is it that we accomplish in terms of con- 
trolling the technology that is readily available and that can be 
used by anyone who seeks to do so illicitly for espionage or ter- 
rorism, for anything. I listened to the line of questioning of our dis- 



20 


tinguished Chairman and, all of those things can be accomplished 
by someone who wants to break the law and use and seek the tech- 
nology abroad. Tell me what it is that — how do we circumvent all 
of that? 

Ms. McNamara. Let me try and answer that question and then 
any of my colleagues can chime in behind, sir. Let me first address 
the issue that you raised about nations overseas. As you heard Mr. 
Reinsch say and I said as well, in December of last year, 33 nations 
signed up to the Wassenaar agreement. What that does is permits 
those 33 nations to have an umbrella arrangement or agreement 
which allows them then to invoke export controls in their own indi- 
vidual countries. They are doing that and they are abiding by it. 

Some of those nations without Wassenaar had their own export 
control regime and they are abiding by that. The 33 nations that 
signed up to the Wassenaar agreement are the 33 nations which 
are today the world’s predominant producers of encryption, save 
one or two, and even those, although not members of Wassenaar, 
do have their own export control regulatory regime which they in- 
voke for the export of encryption from their own national pro- 
ducers. 

The export of, or the individuals who, as you point out, illegally 
use or apply for the use of encryption, on an individual basis, we 
are never going to stop all of that. What we are attempting to talk 
about here is the actual broad use of encryption or the incentive 
for the broad export of encryption from this country. 

Encryption today is not being used broadly. Encryption today is, 
for the most part, being used by individuals for applications that 
are approved under our export control regime for business, for 
banking, for online commerce. All of that export, without requiring 
key recovery features, I might add, is available under today’s ex- 
port control regime from this country as of last September. That 
was reinforced and reendorsed by the Wassenaar agreements. 

When we look at the international use of encryption, I will tell 
you that we expect to see the broad use of encryption internation- 
ally when three conditions are met. Those three conditions are it 
becomes inexpensive — and I will grant you, it is becoming inexpen- 
sive — it becomes easy to use — and, in some cases, it is in fact easy 
to use. In other cases it is not — and what will be required for the 
broad international use of encryption is a security management in- 
frastructure which will allow the registering of keys, the authen- 
tication of users, and the free and open exchange of encryption 
across international boundaries. Those international security man- 
agement infrastructures do not exist today, globally. So we are not 
seeing the broad use of enc^ption. 

Mr. Menendez. I appreciate your answer. My concern, however, 
remains, I think, unanswered. That is, maybe you cannot answer 
it. Not that you don’t want to answer it. Maybe it cannot be an- 
swered. That is this, that, listening to your answer, Wassenaar, as 
I understand it, is ultimately not binding, but even to the extent 
that, while it is predominate of the countries, it is not exclusive. 
To the extent that you have access in those countries, domestically, 
as we would have access here domestically; and to the extent that 
you have acknowledged that it is becoming more and more inexpen- 
sive and easier to use, ultimately it just seems to me that those — 



21 


forgetting about the broad base appeal that we seek to divert for 
the time being — ultimately, those who want to use such encryption 
opportunities to do something illicitly, to do something in terms of 
how this panel has described their concerns about it, ultimately 
have the wherewithal to do it now. So I don’t know exactly what 
we stop here except American companies from being competitive in 
the world because those who want to do it will do it. 

Last, even to those that you have given presumptions of approval 
to, to American subsidiaries abroad that have foreign nationals 
working for them. It does not give me a sense of rhyme or reason. 
I get the sense that, we want to try to stop what we cannot stop 
and we are just hoping to buy time here at the end of the day. I 
may be wrong in that perception, but that is certainly the percep- 
tion I have. 

Mr. Lee. Mr. Menendez, if I may address that briefly from the 
law enforcement perspective, our position is not that the policy is 
a failure if there is one single illicit or bad person using encryption. 
We fully understand that people are going to go to great lengths 
to use encryption that we probably will never be able to read. The 
issue for us is that we are starting to get into a world where every- 
one will be using encryption and the policy issue, both for the 
world of exports and for the United States, is what will that world 
look like? Will it be a world where there is some possibility that 
the wiretaps that Mr. Voegtlin and I have spoken about will have 
some value, some meaning to protect public safety? Or will it be 
a world where those wiretaps are completely useless? That is the 
overarching policy issue, not whether a criminal or a terrorist 
could — indeed they can and they do. We are seeing that increas- 
ingly — not whether they can, in an isolated case, find encryption 
that frustrates us. The question is, as encryption becomes much 
more pervasive so that people don’t have to go to any effort whatso- 
ever to use it, what kind of a world will we live in? 

Mr. Menendez. My concern, Mr. Lee, is that what you are con- 
cerned about already is becoming a reality, notwithstanding any- 
thing that we are doing right now. I thank the Chair Lady. 

Ms. Ros-Lehtinen. Thank you so much, Mr. Menendez. Mr. Be- 
reuter. 

Mr. Bereuter. Thank you. Madam chairman. Thank you for 
your testimony. Mr. Reinsch, the reference has been made to the 
dialogue the Administration had been engaging in with the indus- 
try. I believe it may have first been started or at least noticeably 
progressing when it was initiated by John Deutsch, the Director of 
the Central Intelligence Agency. It seems to me that he maintained 
a successful back channel communication with the group of top in- 
dustrial CEO’s. They were moving ahead in what appeared to be 
very useful negotiations to strike a useful balance. When Deutsch 
left. Deputy Attorney General Jamie Gorelick continued that proc- 
ess and she has been now for well over a year. 

It seems to me, looking at it from the outside, that the discus- 
sions have withered away and do not appear to have the attention 
or the focus of the necessary officials in the Administration. In its 
place appears to be unilateral declarations. The Administration, 
through a new policy unveiled by Vice President Gore, imple- 
mented new regulations. Industry, not satisfied with this action, is 



22 


lobbying for enactment of the SAFE legislation. I was always inter- 
ested in the past to see representatives, actual employees of the 
software companies, coming up here, and lobbyists paid by them to 
represent those software companies on this issue oftentimes un- 
aware of what had happened with negotiations with the top-level 
CEO’s in their own companies. 

I think this matter of encryption control is a very serious matter, 
yet it appears the issue has been left to drift off the legislative cliff. 
We need, I think, to find a balance, an option that works in the 
real world. That would entail intense, very high-level negotiations 
and compromise, it seems to me, much like the negotiations were 
leading to, I thought, that Deutsch was leading. 

So my questions, to begin with, are what steps are being taken 
to reengage at the highest level industrial CEO’s to find a realistic, 
workable balance, or is something going on that you can’t talk 
about here or that you can talk about here? Who is the Administra- 
tion’s point person in this dialogue? When was the last dialogue 
meeting with top leadership of the software companies? When is 
the next meeting? Is anything like this happening? 

Mr. Reinsch. I can make some comments, Mr. Bereuter, without 
going into all the details of 2 of 3 years of history on this which 
I see in some respects similar to your points and in some respects, 
I think, different than the points you have made. I don’t think we 
have become unengaged, if you will. 

I think after Mr. Deutsch’s departure from the government, the 
dialogue has ensued really on two levels. There was a direct dia- 
logue with law enforcement and with the Justice Department and 
the FBI, which I think Mr. Lee could comment on separately, 
which was designed to put those two groups in direct contact for 
discussions, in many respects, at a technical level of how they could 
help each other and how they could try to advance the ball from 
that point of view. 

Mr. Bereuter. With the industry? A dialogue with the industry? 

Mr. Reinsch. That is correct. I am sorry. Yes, with the industry. 

In addition, we have continued the dialogue at senior levels, both 
with individual executives and also with several large groups, both 
hardware and software, that have become the representatives, if 
you will, of that point of view. Throughout this dialogue, whether 
before or after Mr. Deutsch’s departure from the government, at no 
time has the industry abandoned or dropped its goal of passing Mr. 
Goodlatte’s bill and we don’t assume that there is anything that we 
can do that will cause them to change their mind. When Mr. Good- 
latte is offering them the whole pie, I wouldn’t expect them to deny 
the opportunity. 

At the same time, I think that what we have done with them has 
been very successful in addressing a lot of the problems they have 
identified, and I think if you go back and look at their reaction, you 
can ask the following panel. Ask Mr. Smith, who will be on after 
me and some others about their reaction after the Vice President’s 
announcement in September. I think you will find that it was quite 
a positive reaction and a welcoming reaction as a product of some 
constructive dialogue we had at that time. Their final sentence 
was, this is great, we want more. We respect that. But I think it 
has been a successful relationship. It goes on. 



23 


I think the next encounter is likely to be the 10th of June when 
we have a group of CSPP CEO’s coming to town on several sub- 
jects. Computers is probably at the top of their agenda, but I am 
sure encryption will not be far behind and I am sure they will be 
meeting with representatives of the Administration. I understand 
they will be up here as well. I think that will be a chance to renew 
the dialogue collectively, but there are frequent opportunities for 
one-on-one or smaller group discussions. My secretary, Mr. Daley, 
has been to California several times in the last 3 or 4 months, as 
have I. We have these discussions every time we go. 

Mr. Bereuter. Secretary Reinsch, I would expect that seeking 
the whole pie, Mr. Goodlatte’s legislation, would be a good negoti- 
ating tactic. I wouldn’t deem it impossible to find something that 
is balanced despite their almost unanimous support for it. 

Director McNamara, my understanding is that the Wassenaar 
agreement still allows the export to countries that set different 
standards. I can’t understand really, in that situation, how you are 
able to achieve your purposes in protecting the national security or 
how law enforcement is able to pursue at the local, national, or 
State level their objectives when you have got this differential 
under Wassenaar. What am I missing here? Is that a problem or 
am I wrong about the impact of Wassenaar on the exports to the 
various countries? 

Ms. McNamara. The existence of Wassenaar allows countries to 
actually have something to connect an export control regime to in 
those countries that didn’t have a regulatory underpinning in their 
countries. It is all up to national discretion, as it is in our 

Mr. Bereuter. It is differential in its application, isn’t it. Direc- 
tor McNamara? 

Ms. McNamara. I am sorry, sir? 

Mr. Bereuter. It is differential in its application, country-to- 
country? 

Ms. McNamara. Yes. Country-to-country, as it is here. But it is 
fundamentally based on end-use and end-user and there are agree- 
ments that are in common, like preventing the export of encryption 
to terrorists and we can do, actually, a comparison for you, sir, if 
that would be helpful. 

Mr. Bereuter. It does seem to me that the end-user approach 
is unenforceable in reality. Secretary Reinsch, one final question. 
You mentioned in your written testimony at least that you believe 
the Goodlatte bill, as drafted, could inhibit the development of key 
recovery even as a viable commercial option for those corporation 
end-users that want it in order to guarantee access to their data. 
Could you elaborate on that? 

Mr. Reinsch. Yes, Mr. Bereuter, if I can find the provision. I 
think if you look at — I wouldn’t say, by the way, that — I tried to 
phrase that statement in my testimony carefully because I wouldn’t 
say that the problem is as big in this bill as it is in some other 
ones that have been introduced, but I think if you look at, in gen- 
eral, the provisions on page — in my draft, which I think is the one 
with all the cosponsors on the front, the provisions on page five and 
page six of the bill. We would interpret them as significantly dis- 
couraging the use of key recovery. I would not go so far as to say 
the bill prohibits that, but we think it has an inhibiting effect. 



24 


Mr. Bereuter. You did say inhibit and that is the word I tried 
to use in your quote. I will look at those. Thank you very much. 
Thank you, Madam chairman. 

Ms. Ros-Lehtinen. Thank you. Mr. Goodlatte, we are going to 
recognize you in a moment even though you are not a Member of 
our Committee. Mr. Delahunt. 

Mr. Delahunt. Yes, thank you. Madam chairwoman. I have had 
the benefit of this testimony in my capacity on the Judiciary Com- 
mittee and I have had an opportunity to engage in some dialogue. 
I would just make some observations. I think that both Mr. Bereu- 
ter and Mr. Menendez have articulated some of the concerns I 
know that you have heard from me in terms of those who are so- 
phisticated and have an intent to indulge in illicit activity, you sim- 
ply can’t deter them, given the realities of foreign availability. I 
think this is the problem that we are wrestling with. I think, if I 
am correct. Director McNamara, I think you just acknowledged 
that earlier in your testimony? I don’t want to put words in your 
mouth, but that was the conclusion that I draw. 

Ms. McNamara. We are never going to stop everyone from 
breaking the law. That is true, sir. But coming down in the car, 
I happened to be thinking that just because somebody speeds 
through a school zone doesn’t necessarily mean we raise the speed 
limit in the school zone. 

Mr. Delahunt. Right. 

Ms. McNamara. There are some products available overseas. I 
would appreciate it if you accept Mr. Cilman’s earlier offer when 
he announced the classified session on Thursday and I would be 
happy to talk about this in more detail at that session. 

Mr. Delahunt. I hope to accept that invitation, but I am just 
saying for those who are unable to go to that particular briefing. 
I think that the concern that I have from a national security per- 
spective, if the development of encryption technology in this coun- 
try is impeded — put aside for a moment the adverse impact in 
terms of our balance, in terms of our economy — what we are going 
to have is these cutting-edge encryption technologies far surpassing 
what we have available to us. If the marketplace is really driving 
this issue. I think I understand where you are heading. I think, 
particularly, I am addressing this to Ms. McNamara, not just be- 
cause you are a former resident of Massachusetts, because I know 
you have strong feelings about this particular issue. 

Ms. McNamara. About Massachusetts, sir. 

Mr. Delahunt. About Massachusetts, obviously. Don’t worry, 
they won’t tear down Fenway Park. I can assure you that. 

But my point is, particularly from a national security perspec- 
tive, we are dealing with a level, I presume, of sophistication in 
terms of potential adversaries where they will take advantage of 
cutting-edge technologies that are available in the marketplace. 
This is the bottom line in terms of the concerns that I have and, 
at the same time, disadvantaging our, commercial interests as far 
as competing in the global economy. 

Ms. McNamara. As Mr. Reinsch said, if I may, as Mr. Reinsch 
said and I said in my testimony, we do not want to impede the cre- 
ativity of U.S. industry. That is not our goal. We want to see U.S. 
industry succeed and we want to see them succeed overseas. What 



25 


this bill does, though, is eliminate all control mechanisms on ex- 
ports. 

Now when we say that, what we want to see is a regulatory proc- 
ess where, outside of those sectors who have broad relief and there- 
fore have — they can sell their products anywhere in certain sectors 
and for electronic commerce for certain purposes, we want to see 
a review process and we want to see who the end-user and the end- 
use is going to be so we can understand the product. 

Mr. Delahunt. I don’t disagree with what you are saying in the 
stated goal. But, at the same time, I think what we have to remem- 
ber — ^you refer to Wassenaar and it is discretionary and I don’t 
think we ever level off that playing field until we have an enforce- 
able multilateral export control regime. I just don’t see — that all 
nations will respect and that do not disadvantage commercial inter- 
ests and we are not going to do this with an agreement, that is re- 
lated to the Wassenaar compact. 

Mr. Reinsch. I think — if I could comment, Mr. Delahunt — what 
intrigues me about this line of argument — and it was similar to the 
one that Mr. Menendez was putting forward — is the interesting 
question is what do we do in the interim before we reach that 
point. We may never reach that point, but let us assume that we 
are striving for an effective multilateral arrangement, which would 
deal with this. 

Mr. Delahunt. Right. 

Mr. Reinsch. I think that is a fair statement. What do we do be- 
tween now and then? It seems to me that the suggestion you are 
making is almost that because we cannot succeed completely, we 
should give up. I think we are not prepared to give up simply be- 
cause we are not going to be perfect. 

Mr. Delahunt. Again, I think you have got to deal with the re- 
alities on the ground. Mr. Lee and Chief, you say there are inci- 
dents that have occurred in terms of encryption. Can you quantify 
them? Give us some hard data in terms of — Chief. 

Mr. VOEGTLIN. Actually, like, Mr. Menendez, I am not a rocket 
scientist nor am I police chief I just represent the police chiefs. As 
a matter of fact, in preparing for this testimony today, I was on the 
phone with State police directors in some of the largest States in 
the country asking them to quantify the number of incidents. It 
kind of goes to the point that you are making. What they told me 
is that right now, since this is in a growing area, most of the evi- 
dence that they could give me is anecdotal, but I think it speaks 
to the larger issue of what you are talking about, that it is already 
out, that the cow has left the barn or the horse has left the barn 
on this issue. 

But — and this is going back to me not being a rocket scientist — 
from what we understand here, there are questions about reli- 
ability, as Chairman Gilman mentioned, with foreign-made prod- 
ucts, that there is not a whole lot of robust nonrecoverable 
encryption out there right now that is being used. 

Mr. Delahunt. Let me just regain my time and I know my time 
is expiring and I just would ask for a minute’s worth of followup 
here. The reality is, I compared it during the hearing in the Judici- 
ary Committee to an imaginary line. You simply buy it here. You 
don’t even have to get on the plane and go across, the ocean. Just 



26 


download it and it is available instantaneously all over the world. 
The criminal element that most chiefs of police deal with on a reg- 
ular basis — I served in the law enforcement community for 21 
years and when they start using encryption, that comes as a sur- 
prise to me. 

Mr. VOEGTLIN. That is 

Mr. Delahunt. These violent criminals — and I think that is the 
concern that most Americans have in terms of traditional street 
crimes which local chiefs of police and State police and local pros- 
ecutors deal with — God forbid they start using encryption because 
we are in real trouble. 

Mr. VoEGTLiN. Congressman, and if I can 

Mr. Delahunt. I am talking about the, you know 

Mr. VOEGTLIN. I know who you 

Mr. Delahunt. Most of us aren’t rocket scientists. 

Mr. VOEGTLIN. Right. 

Mr. Delahunt. Most of us have difficulty logging on. 

Mr. VOEGTLIN. That is exactly the point that we are trying to 
make in that when encryption, highly robust encryption, becomes 
widespread, when the United States — which is a market leader in 
this area and would be with this legislation — takes the lead in the 
manufacture and distribution of this robust, unbreakable 
encryption, it will become easier for those street-level thugs to use 
encryption. The problem will become more widespread and 

Mr. Delahunt. With all due 

Mr. VOEGTLIN [continuing]. Let me just finish. 

Mr. Delahunt. OK. 

Mr. VOEGTLIN. In the opinion of the International Association of 
Chiefs of Police, what you are facing is a choice: whether or not you 
want to take this kind of software, make it available widespread 
to increase its use, to allow people on a low-level of crime — I know 
we are always going to be dealing with folks who are drug lords 
who have unlimited resources — but when you start putting it on 
the street level, it becomes more widespread and that is our con- 
cern. 

Mr. Delahunt. With all due respect to your position, I wasn’t a 
chief-of-police, I was a chief prosecutor in a major jurisdiction. I 
daresay, that, availability to the street-level criminal simply is an 
argument that is disingenuous, with all due respect. I can’t accept 
that argument. I know better. I know better. I yield back and 
thank the Chair. 

Ms. Ros-Lehtinen. Thank you so much, Mr. Delahunt. Mr. 
Goodlatte, if we could recognize Mr. Gilman for one question before 
we turn to Mr. Goodlatte. 

Mr. Gilman. Just one question in response to what the testimony 
has been. The gentleman made the point that there are always peo- 
ple willing to do illicit acts and use means to conceal them, but is 
that a reason to throw in the towel and see encryption devices on 
every street corner in the hands of every petty drug dealer? Isn’t 
the issue here proliferation of unaccessible encryption? 

Mr. VOEGTLIN. Absolutely. That is exactly what we are talking 
about — is when this becomes proliferated. When this is widespread, 
the problems will multiply and State and local law enforcement, 
which is only dealing with it on an anecdotal level at the moment. 



27 


will deal with it over and over again. The resources of the State 
and local law enforcement agencies are obviously less than the Fed- 
eral Government. If they are already dealing with it, imagine what 
it will he in 10 years when even local dealers dealing with distribu- 
tion networks on the street level are able to communicate in abso- 
lute security that law enforcement has no idea what they are talk- 
ing about. 

Mr. Gilman. Mr. Lee, would you care to comment on that issue? 

Mr. Lee. I would only add, Mr. Chairman, that I think you have 
really pinpointed the issue and the public policy dilemma for all of 
us. One of the things that I mentioned in my opening statement 
is that we have been having very productive discussions at a num- 
ber of levels with law enforcement, arising from the CEO inter- 
action and, in large part, it is to look at where industry sees the 
marketplace going and how we can better understand their needs, 
how they can better understand public safety needs, and what the 
possibilities are for a convergence of those interests. That has been 
a very productive dialogue and I think it is one way that we are, 
with industry, addressing the question: How are we going to shape 
the way the market looks? How are we going to stand up together 
and make sure that all of the interests that Mr. Reinsch has men- 
tioned here as having to be balanced, make sure they are all bal- 
anced? That is the challenge for all of us. 

Mr. Gilman. Thank you. 

Ms. Ros-Lehtinen. Thank you, Mr. Gilman. Mr. Goodlatte. 

Mr. Goodlatte. Thank you. Madam chairman. First, I would 
like to note that, as someone who was born and grew up in the 
Commonwealth of Massachusetts, I am glad to find that I have 
something in common with Ms. McNamara. I am sorry we don’t 
agree on this legislation, but we do agree on something that Con- 
gressman Menendez said earlier, and I think it is absolutely cor- 
rect — and that is we are all concerned about national security and 
law enforcement issues. 

The issue here is not whether or even when strong encryption is 
going to be available. It is available now and it is going to be wide- 
spread very soon. The issue is how we are going to deal with it and 
whether we are, as a nation, going to cede this market to dozens 
of foreign countries and literally hundreds of foreign companies 
who are already starting up and producing this product. There are 
650 strong encryption products available in the United States from 
foreign sources that could not be exported if a U.S. company made 
the same product and attempted to sell it overseas. That is a seri- 
ous problem and one that our competitors overseas are well-aware 
of. 

The problem with the Wassenaar agreement is that it is Swiss 
cheese. It is something that is loaded with loopholes. The gen- 
tleman from Nebraska is exactly right. It can be applied differen- 
tially in different countries. It is being done. The aspect of this re- 
lated to recoverable encryption is one that is being rejected. 
Madam chairman, if I may, I would make a part of the record an 
article from the National Journal of Technology Daily pointing out 
that the French who were previously cited in previous hearings as 
one of our strongest allies in this effort to control encryption have 
abandoned key recovery. 



28 


Ms. Ros-Lehtinen. Without objection. 

Mr. Goodlatte. Then the following day an article, also in Tech 
Daily, pointing out that the British government has abandoned key 
escrow or key recovery, leaving us with a situation where, as more 
and more countries do this — and I don’t know of any that has at- 
tempted to implement a key recovery scheme — we are going to be 
put in a position where we are holding back the ability to make 
strong encryption available to people who want to use it, except if 
they want to download it from the Internet, buy it from foreign 
sources and the only folks who are going to be impacted negatively 
by this are the U.S. companies who aren’t going to break the law. 
They are not going to violate our export control laws, but dozens 
of great companies from IBM to Microsoft to Sun Microsystems to 
the list goes on and on and on, they are going to be competing with 
one hand tied behind their back. So the effect is going to be they 
either send the business offshore or they cede this business to for- 
eign competition. 

Now, with regard to recoverable encryption, the gentleman from 
the Commerce Department has indicated that you are not calling 
for a key recovery system, but the gentleman from the Justice De- 
partment keeps referring to recoverable encryption. During the 
hearing in the Judiciary Committee, I asked him what he meant 
by recoverable encryption if it wasn’t key recovery and he said that 
there are many technologies that aren’t strictly speaking key recov- 
ery that do promote the interests of law enforcement as well as 
other government interests. 

If you are not referring to key recovery, Mr. Lee, what are you 
referring to? You have still, in spite of having agreed to respond 
to that, not responded to that in any substantive way to give us 
other ideas of what you mean, if it is not key recovery. It might 
be the Clipper Chip, which is a notorious proposal of the Justice 
Department of a few years back where the chip was embedded into 
the computer itself and was thoroughly rejected by everybody in- 
volved in the process. But what are you referring to? 

Mr. Lee. It is not the Clipper Chip. I was referring to a variety 
of technologies which are going to depend on the application, on the 
market sector, on the end-user, on the business need. What each 
of those technologies have in common is that they provide some ca- 
pability to provide plain text upon presentation of a lawfully au- 
thorized court warrant. 

Some of the examples that we have given — I obviously don’t want 
to get into proprietary information or favoring particular compa- 
nies, but — for example, the consortium of private doorbell compa- 
nies that came to us and proposed a method, which Secretary 
Reinsch can elaborate on, which would allow the export of strong 
encryption while also meeting law enforcement needs. There are 
many others. They are detailed on various web sites. I don’t have 
an exhaustive catalog of them here, Mr. Goodlatte, but there are 
a variety of different products. 

Again, no one of them is — there is no such thing as a key recov- 
ery system. That is a term that we were using to refer, perhaps 
unartfully, to the concept that a product which is designed and 
marketed to meet a business need also supports the needs of law 



29 


enforcement. That is all we are after. We are not wedded to any 
particular technology or product or application. 

Mr. Goodlatte. But you would mandate that every company 
that wants to manufacture and export a product in the United 
States for sale overseas have that type of device attached to it in 
spite of the fact that we are confronted with a flood of foreign com- 
petition that would not have that mandated to it and, in fact, 
would he advertising that they have a product that is secure that 
U.S. companies cannot offer. In fact they are advertising that fact 
right now. 

Mr. Lee. Sir, we would not mandate that. As Secretary Reinsch 
and the other panel members have testified, in pursuant to the 
encryption export updates last September, there were a number of 
encryption products for a number of very important sectors, very 
significant parts of the world economy where encryption does not 
have to provide those kinds of capabilities. Also 

Mr. Goodlatte. So you would not object to the provisions in this 
bill which prohibits the government from mandating key recovery 
or key escrow? 

Mr. Lee. That wasn’t my testimony, sir. 

Mr. Goodlatte. Please clarify then. 

Mr. Lee. We have testified, both in our written statements and 
in our verbal testimony, that we are concerned that provisions in 
H.R. 850 would inhibit the government from encouraging the use 
of key recovery, key escrow, other types of plain text availability 
systems, both for its internal use and for people seeking to do busi- 
ness with the government. You also have Secretary Reinsch’s testi- 
mony on that point. 

Mr. Goodlatte. What do you mean by the word “encourage?” 

Mr. Lee. The government has a number of statutory obligations 
to make information available to its citizens: document retention 
programs, government public-right-to-know information, all the in- 
formation that the government has is held in trust. If that informa- 
tion is encrypted, we have a responsibility, which is set out in stat- 
ute, to make sure that, at the appropriate time, that information 
will be made available to the public. So that is the kind of obliga- 
tion where some kind of plain text recovery system is going to be 
necessary to meet that obligation. Again, contractors, others who 
are collecting information for that purpose would 

Mr. Goodlatte. There is nothing in the legislation which pro- 
hibits the government from having its own key recovery system for 
its own record keeping purposes. But we do prohibit the govern- 
ment from mandating that anybody who does business with the 
government, which is virtually every business and every citizen in 
the United States, from using a system that requires a key recov- 
ery system to be attached to it. If they prefer for their own security 
and their own privacy to not have a key recovery system, as many 
people do, we do not allow the government to mandate that. But 
we do not prohibit the government from having its own key recov- 
ery system for its own purposes. Nor do we prohibit any private 
business from doing that for those who choose to do it. It is not the 
business of the government to mandate to people whether they 
should have key recovery or not have key recovery. 



30 


The problem with it is if you mandate it and other creators of 
products in other countries do not. They have a tremendous market 
dominating advantage in selling a whole array of hardware and 
software products that are going to be using strong encryption 
when they can say that they can guarantee you that no one, the 
U.S. Government or anyone else has a key to that system. 

Mr. Lee. The government does a number of its business through 
contractors and one of the concerns we have is that this would pre- 
vent the government from doing its business in the way that the 
government deemed most appropriate when the contract is 

Mr. Goodlatte. So you would insidiously put key recovery into 
the entire country by saying that if you want to do business with 
the U.S. Government, you have got to have key recovery. That is 
what you mean by encourage. When you say you really don’t want 
to mandate key recovery, but you want to encourage it by saying 
if you want to do business with the government online — which ev- 
erybody will be doing in the near future — you are going to require 
that they have a system that, if they do business with the govern- 
ment, has a key recovery feature. Is that what you are saying? 

Mr. Lee. I guess, a couple of points in response, if I may. It 
wasn’t my testimony that the government is going to be seeking to 
do those things. I have testified what the government’s position is, 
as have the other panelists. The government’s policy, the Adminis- 
tration’s policy, is that there are not restrictions on the use of 
encryption. What I did testify, Mr. Goodlatte, was that, to fulfill its 
statutory obligations in the way that it deems best, the government 
may decide, if it is necessary, to have some form of key recovery. 

Mr. Goodlatte. Require contractors doing business with the 
government to use key recovery as well? 

Mr. Lee. In order to fulfill statutory obligations such as record 
keeping, that may be a possibility. I wouldn’t 

Mr. Goodlatte. When you say contractors, would that be other 
people doing business with the government like taxpayers filing tax 
returns? 

Mr. Lee. I was dealing with the situation of contractors. 
Again 

Mr. Goodlatte. Where would you draw the line? I just want to 
make it clear why this bill draws the line at saying we are not 
going to be mandate because of the fact that this is an all-encom- 
passing thing. Once you start down that road of saying, if you want 
to do business with the government, you have got to use key recov- 
ery, you can, very shortly, require that virtually every system of 
communications that we have in the country have key recovery, not 
by mandating it, but by, to use your phrase, encouraging it because 
if you want to communicate with the government in this fashion, 
you have got to do that. 

Mr. Lee. I think with the possible exception of Washington, D.C., 
we may have a difference of opinion of the impact of the U.S. Gov- 
ernment on the overall economy. 

Mr. Goodlatte. I don’t know many law-abiding citizens who 
don’t file tax returns or don’t have to communicate with the gov- 
ernment on a whole host of other issues that are vitally important 
to them from social security and Medicare to census taking to — the 
list goes on and on and on. 



31 


Mr. Lee. I also respectfully disagree that the government is try- 
ing to do something insidious here. What we are trying to do is to 
make sure that we fulfill our statutory obligations. 

Mr. Goodlatte. I don’t — certainly there is no statutory obliga- 
tion to impose key recovery because, at this point in time — and I 
hope forever in the future — we do not have any kind of domestic 
limitations on the use of strong encryption or the requirement that 
you use a key recovery system to protect your privacy, to protect 
your property, which is what strong encryption is designed to do. 
Thank you. Madam chairman. 

Ms. Ros-Lehtinen. Thank you so much. Mr. Sherman. 

Mr. Gilman. Madam chairman, before I go 

Ms. Ros-Lehtinen. Yes, Mr. Gilman. 

Mr. Gilman. Can I just make a unanimous consent 

Ms. Ros-Lehtinen. Absolutely. 

Mr. Gilman [continuing]. The May 11th letter from the president 
of B’nai Brith, Richard Heideman, on encryption issues be made 
part of the record. 

Ms. Ros-Lehtinen. Without objection. 

Mr. Gilman. Thank you. Madam. 

Ms. Ros-Lehtinen. Thank you. 

Mr. Sherman. Madam chairman, I would like to pick up on the 
questions being asked by the honorable gentleman from Virginia. 
Mr. Lee, maybe you could just put our minds to rest. Will this Ad- 
ministration ever say that, in order for a bank to have any deposits 
of the U.S. Government, that it must divulge the key recovery in- 
formation as a condition for having U.S. Government deposits? Are 
you keeping open that hammer that you would use to deprive 
Americans of their privacy? 

Mr. Lee. I have testified, as have my fellow panelists, that it is 
the Administration’s policy not to seek mandatory regulation of key 
recovery. 

Mr. Sherman. I am not talking mandatory. I am saying, as you 
may know, the U.S. Government sends out an awful lot of social 
security checks. Those are being sent out by wire to banks across 
this country. Will the Administration ever tell banks that they 
must divulge the key information in order to be eligible to receive 
such wired social security deposits? 

Mr. Lee. I think the wise thing for me to do would be to defer 
that question to Secretary Reinsch. 

Mr. Sherman. You’ve shown tremendous wisdom. 

Ms. Ros-Lehtinen. He’s a country lawyer. 

Mr. Sherman. Now let us see whether the Secretary will show 
wisdom. Can you put our minds to rest or are you going to 

Mr. Reinsch. All I can say, Mr. Sherman, is that I have been in- 
volved in, as far as I know, most of the discussions that have gone 
on this issue for the last 3 years and nobody has even thought 
about that. Nobody has even 

Mr. Sherman. Nobody has thought of it. Can you tell us how 

Mr. Reinsch. Nobody has thought of that. Nobody has suggested 
it. 

Mr. Sherman [continuing]. That gentleman from Virginia has 
thought of it. Can you put our minds to rest or could we face that 
mechanism of trying to force the divulging of key 



32 


Mr. Reinsch. I can only tell you what I have said because I am 
not in the bank regulatory business. If you want to know what is 
contemplated with respect to bank regulation, you will have to 
have ask the bank regulators. I haven’t talked to them about this. 
As far as I know it has never occurred to them and it is not on 
their agenda, but I certainly wouldn’t presume to speak for them. 

Mr. Sherman. But you are representing the Administration here 
in terms of a desire to have access to a key that would allow you 
to decode encrypted information. In that capacity, will you be 
pressing to use all of the levers of the Administration to try to com- 
pel domestic organizations doing domestic business with American 
citizens, will you try to penalize them or take away their right to 
do business with, for example, social security recipients because 
they do not divulge the key? 

Mr. Reinsch. As far as I know, we have no intention of doing 
that. But let me stress, at the same time, what Mr. Lee said. The 
issue here isn’t keys, from a law enforcement point of view, the 
issue here is data and access to data. Key recovery and the exist- 
ence of the key is one means of achieving the objective. The De- 
partment of Justice and other law enforcement entities have, as far 
as I know — and have said this many times and I think Mr. Lee 
said it today — have no interest in trying to expand their capacity 
to obtain private information beyond what existing laws and exist- 
ing courts permit them to do. 

What we are trying to deal with here is simply a means of how 
do you apply existing court rulings and legislation with respect to 
law enforcement access to private information to a new technology? 
We are not trying to expand the right of access. I think the best 
way to look at this debate is to focus on the information and 

Mr. Sherman. Excuse me, I have a limited amount of time. You 
have gone well beyond the question I asked. 

There is, I think, no prospect of getting Congress to give the Ad- 
ministration or any Administration domestically what you are 
seeking internationally. Do you disagree or will you be proposing 
legislation that would prevent someone from buying encryption, 
strong encryption, at their local software store? 

Mr. Reinsch. We have testified to that many times and it is in 
my statement. We have no intention of doing that. 

Mr. Sherman. So what we have is a situation where you can’t 
go after what you would like domestically, so you want to punish 
the U.S. software industry by putting it at a disadvantage vis-a-vis 
its foreign competitors. Not surprisingly, our foreign competitors 
and their governments have welcomed this effort and have engaged 
in a little dance at Wassenaar where they pretend to be interested 
in preventing their companies from marketing strong encryption 
worldwide and we fall for it and are now in a process of giving 
away what may be the world’s most important industry to our for- 
eign competitors. Then you come to us and you show us how beau- 
tiful our economic competitors’ dance at Wassenaar and give us 
that as a reason why we should bludgeon our own industry and 
make it more difficult for them to compete worldwide. 

I know there is a question in there somewhere. 

Mr. Reinsch. Was there a question in there, Mr. Sherman? 



33 


Mr. Sherman. There will be a question, I assure you, Mr. Sec- 
retary. 

Mr. Reinsch. All right. 

Mr. Sherman. That question is: For Mr. Voegtlin — Gene, I am 
mispronouncing your name. 

Mr. Voegtlin. Voegtlin. 

Mr. Sherman. Voegtlin. That is: You talk about how you don’t 
want street thugs communicating with each other, using encryption 
you cannot decode. Is there any prospect of preventing that when, 
in fact, your colleagues here representing the Administration won’t 
even propose legislation that would prevent any American, criminal 
or otherwise, from getting all kinds of encryption from their local 
software store? 

Mr. Voegtlin. As you say, they represent the Administration. I 
do not. 

Mr. Sherman. Will you be proposing the legislation that they are 
unwilling to propose? 

Mr. Voegtlin. If I could, I don’t know if we would. But I will 
say this and I would like to get this as clear as I can. The folks 
that I represent view this as an issue of great importance and, to 
them, a simple choice. You have a choice — they understand the 
need for encryption. They agree that it has legitimate uses. But 
they are more concerned about trying to — and trying to do their 
jobs and how encryption prevents them from doing it. 

If they had the answer to this issue, I wouldn’t be up here. Actu- 
ally, I would be a very rich man. I am not, so they don’t. But what 
I think you are all confronting here is a basic choice. You need to 
find some kind of balance between strong recoverable encryption 
that can fulfill the vast majority of legitimate uses and strong un- 
breakable encryption that could be put to insidious, dangerous, 
frightening uses. 

I know that is an answer that doesn’t answer. But, again, I don’t 
have the answer for you. All I can try to tell you is that we are 
facing 

Mr. Sherman. I agree with you completely. I agree with you com- 
pletely. I don’t have the answer. You don’t have the answer. There 
are elements of the Administration so angry that there isn’t an an- 
swer that they would just like to bludgeon the hell out of the U.S. 
software industry. They are, of course, encouraged by our foreign 
competitors. But it is certainly not an answer to say that we are 
going to allow something to be purchased at every software store 
in America, but we are going to prevent legitimate people from ex- 
porting that same software. 

Because I will ask you, speaking on behalf of the police chiefs, 
do you know of any mechanism that the police chiefs can use to 
prevent anything that is purchasable at every software store in 
America from being exported, either physically or over the line to 
criminal figures in other countries? Do you have any prospect at all 
of preventing that? 

Mr. Voegtlin. I have no information myself. I would be glad to 
check with our Committees that deal with terrorism, international 
crime, and organized crime and see if any of those experts have an 
answer. 



34 


Mr. Reinsch. Actually, Mr. Sherman, if I could comment. That 
is my job. The other half of what BXA does is enforce the Export 
Administration Act and that is what we try to do. The answer to 
your question is, in the circumstances you have described, it is ex- 
traordinarily difficult. There is no question about that. 

Mr. Sherman. Is extraordinarily difficult, is that Washington 
talk for completely impossible? 

Mr. Reinsch. It is not. 

I try to avoid Washington talk. 

Mr. Sherman. Again, if I were to walk into Egghead, buy some- 
thing, and send it over the Internet to somebody in Canada, 
wouldn’t you think that would be like completely impossible for you 
to stop me? 

Mr. Reinsch. What we have said about this many times and 
what Ms. McNamara said earlier is, if somebody wants to defeat 
the system, they can do that. There is no question about that. We 
have never denied that. I would not go so far as to say it is clearly 
impossible. We have a number of investigations going on. We do 
catch people. Never underestimate the stupidity of some of the peo- 
ple we have to deal with. 

I didn’t say that. 

Mr. Sherman. It is a shame that you do have to deal with Con- 
gress. 

Again, I think that you are 

Ms. Ros-Lehtinen. He is not going to name names. 

Mr. Sherman. I think my time has expired. 

Ms. Ros-Lehtinen. Thank you, Mr. Sherman. 

Mr. Burr. Let us move on. 

Mr. Burr. Mr. Secretary, your comments are shared. 

Mr. Reinsch. We may be talking about different people, though, 
Mr. Burr. 

Mr. Burr. I feel confident we are. Mr. Secretary, I would like to 
read some statements to you and ask you some questions relevant 
to those statements. The first is, and I quote, “As the line between 
military and civilian technology becomes increasingly blurred, what 
remains clear is that a second-class commercial satellite industry 
means a second-class military satellite industry as well. The same 
companies make both products and they depend on export for their 
health and for the revenues that allow them to develop the next 
generation of products.” If we replaced the word satellite with the 
word encryption, do you think that statement would still stand? 

Mr. Reinsch. First of all, Mr. Burr, I am delighted to see that 
Members of Congress are reading my speeches. It warms my heart. 
I encourage you share that with some of your colleagues. I would 
love to have them look at it. 

I think, as a general statement, yes. I think that statement 
would stand. I think there are a lot of similarities. I was thinking 
when you made your opening comments, which I felt were quite 
thoughtful on this subject, that it would be appropriate to apply 
the comments you made to some other situations as well. That does 
not mean, however, in either of those cases, this one or the other 
one, that the answer is no controls. I think it means that the an- 
swer is balance and a realistic view about what is controllable and 
what is not and what the national security implications of both are. 



35 


Mr. Burr. I hope, from my opening statement and from my line 
of questions, you will understand that I think the difficulty that we 
have or the disconnect with all of our witnesses and many of the 
Members here and I think what we struggle to understand is we 
see this reality of the access that the domestic market has today, 
our inability to limit in any way encryption products, yet some be- 
lief on the part of the Administration and others that there is a 
way to do it. If there is, then share that with us. If there isn’t, 
then, as Mr. Sherman said, let us find the best balance to allow 
our LJnited States companies to compete in this global marketplace. 

Let me go on one more statement. “Some of these satellites bring 
telephone, television, and Internet services to the Chinese people. 
I believe such services are an integral part of any effort to bring 
democracy and freedom to China.” Could the same be said of strong 
encryption products, which might provide those movements for de- 
mocracy in China to stay behind the prying eyes of the Chinese 
government? 

Mr. Reinsch. Mr. Burr, that is — I would say two things about 
that. I think that is certainly true. I think, at the same time, some 
of your colleagues, particularly those on the Armed Services Com- 
mittee, would make exactly the other point here and that is do we 
want to sell strong encryption to the People’s Liberation Army so 
it could be further used to protect their own communications from 
our intelligence and to further oppress the Chinese people? 

Mr. Burr. Do we currently allow encryption products to be 
placed on the satellites that we export? 

Mr. Reinsch. The satellites that are launched have encryption 
which might best be described as — and it is an outdated 
encryption — it is encryption that allows us to encrypt the signals 
that control the movement of the satellite. 

Mr. Burr. Does it limit one’s access to the information off of the 
satellite? 

Mr. Reinsch. I will defer to our satellite export. 

Mr. Burr. It is not a proprietary question. 

Ms. McNamara. The encryption that has been used on U.S. sat- 
ellites that have been sold overseas, when there is encryption used, 
it is, as Secretary Reinsch describes, for telemetering the satellite 
itself and, for the most part, in fact, I believe in all cases with re- 
gard to China, always remain in the hands of U.S. persons. It does 
not have anything to do with the actual transmission of informa- 
tion over that satellite. It is for the control purposes of the satellite 
and when the U.S. persons were there at launch, the U.S. 
encryption that was used was, in fact, retained in the hands of the 
U.S. parties on the ground. 

Mr. Burr. But there is no encryption product in the satellite 
which protects the security of the data that is transmitted from the 
satellite? 

Ms. McNamara. In fact, these are dumb satellites. It is what — 
it is the medium over which people communicate. If the commu- 
nications or the originator of the communications uses encryption, 
then the information being passed over that satellite is encrypted. 
But it is encrypted from the ground, not because it transmits over 
the satellite. 



36 


Mr. Reinsch. If I could comment, Mr. Burr, though, Mr. 
Goodlatte’s hill. You have touched on a very central dilemma. Mr. 
Goodlatte’s bill would, in effect, permit the sale of strong 
encryption both to Chinese individuals who want to encrypt their 
communications in order to, do things that their government would 
probably rather have them not do and it would also permit the sale 
of that same encryption to other forces in the Chinese government 
who don’t want that to happen. 

Mr. Burr. I think the part that possibly Mr. Goodlatte is frus- 
trated over is the willingness for the Administration to understand 
the frustration that currently exists when that product is available 
here in this country, can be transmitted sold, carried out of the 
country to be used by people that we restrict U.S. companies from 
marketing like product to. I think, to some degree, we are like the 
ostrich with the common practice of the head in the hole. When we 
have our head in that hole, we believe nothing goes on while we 
are there. The fact is, in reality it is, isn’t it? 

Mr. Reinsch. If it will make Mr. Goodlatte feel any better — and 
I think he knows this — I am at least as frustrated as he is, perhaps 
for different reasons. But we are working very hard to try to pre- 
vent the situation that you have described from occurring. I have 
testified in other circumstances, I think, in the past before this 
Committee, that I, for one, would say if we were to reach the point 
at which you, in terms of commercial consequences, that you are 
anticipating, I would hope that the Administration would be wise 
enough to see that and adjust its policy. 

I think the disagreement we might have is whether or not that 
point has arrived now and, if not, how quickly it will arrive. I think 
what Ms. McNamara suggested is that, for a number of reasons, 
we find that point somewhat more distant than the Members of 
this Committee probably do. 

Mr. Burr. I hope you understand that my questions are more 
broad than specifically to the encryption issue. If my understanding 
is correct, this time next year, with the Merced chip in computers, 
the off-the-shelf leader model with exceed the M-top standards that 
we currently have requiring export licenses. Is that accurate? 

Mr. Reinsch. Oh, no question. In fact, I can tell you, I think my 
latest sound bite on that is if we don’t change what we are doing 
by the end of the year, we are going to be controlling Sony Play 
Stations. It is moving that fast. This is also something the Admin- 
istration is working quite hard on and we expect to be able to con- 
sult with you all and share something with you shortly. But I think 
it is going to come as no surprise to you that there will be a sub- 
stantial number of Members in your body who will oppose any 
changes, notwithstanding the point that you have made. 

Mr. Burr. I would agree with your statement that there will be 
quite a few people who oppose it. 

Mr. Reinsch. I am delighted to hear the consistency of your 
point of view. Not all of your colleagues are consistent on these two 
sectors. 

Mr. Burr. My hope is that that consistency is something that be- 
comes contagious with the Administration. 

Mr. Reinsch. We strive for it every day. 



37 


Mr. Burr [continuing]. As it relates to the need for these tech- 
nology companies to, one, compete; two, compete on a level playing 
field for the effort to grow to the next generation. With that, I will 
yield back. 

Ms. Ros-Lehtinen. Thank you. Mr. Rohrabacher. 

Mr. Rohrabacher. Yes. Speaking of consistency — and I will just 
put it right out front — I find it a bit appalling that representatives 
of this Administration would be here so adamantly arguing for 
something they claim to be, based in national security, like this 
encryption debate, while, at the same time, labeling Communist 
China, which is, at the very least, a potential hostile power — if 
most of us believe that it is a hostile power — by continuing to insist 
that we call Communist China a strategic partner of the United 
States. So I don’t want to hear much about consistency in this de- 
bate on the national security concerns of our country because the 
overall policy toward China is doing far more damage to our na- 
tional security than any of this type of regulation that we are talk- 
ing about today. In fact, if there isn’t a change in the basic, funda- 
mental approach to China, all of your talk about national security 
is irrelevant. 

What I see here is a lot of activity and a lot of effort being put 
into this effort to — let us, I will just put it right out — you are trying 
to strengthen government’s control, not of other people who are 
hostile to the United States, but trying to strengthen government’s 
control of ordinary Americans and American enterprise. I don’t 
want to — you hear this all of the drug dealers are going to do this 
and the bad guys are going to do this, but what do we end up with? 
Those guys are going to end up with encryption anyway. This is 
the message I am hearing all around me is these guys are going 
to end up — and I realize that this is taking to it to absurdism, you 
might say, but the fact is that when encryption is outlawed, only 
outlaws will have encryption. Sorry to put it that way, but after lis- 
tening to the arguments today, I have just come to the conclusion 
that the only impact you are going to have is on honest people and 
on enterprisers and not on people who are hostile to the United 
States. 

You are going to have the doctors in this country. You will have 
their electronic files open and available. You are going to have the 
lawyers, the bankers. I am a former journalist — trying to tell me 
that you are going to say you are not making it mandatory, but you 
are going to say it is going to be conditional, these restrictions are 
going to be conditional on whether or not people are dealing with 
the government? Journalists have to get up on their computer and 
dial in to get their automatic press releases now. The press re- 
leases aren’t handed out on paper. They come over the electronic 
processes. So in order to get those, the journalists, in order to get 
information from the government, they have got to say that they 
understand that their computers are going to be open to govern- 
ment snooping? All in the name of getting the bad guys? 

Let me just note: The government for the last 20 years has had 
all of this control and the ability to go in and snoop as you wanted 
to snoop and the drug war is a joke. You go down into any city in 
the United States of America and any kid can get drugs. This is 
telling us that we have got to open up the possibility in the years 



38 


ahead in the new millennium to have this type of power in the 
hands of the government in order to fight the drug war? It is a 
joke. You have been unsuccessful with all that power already. 
Again, the only people you are really going to affect are honest citi- 
zens like the doctors and the lawyers, the journalists and the rest. 

Let me just note this. In the years ahead, the computer systems 
that we have are going to serve as the basis of American pros- 
perity. Like it or not, that is the world that we are heading into. 
The Internet system will be used for enterprise and purchases that 
are the foundation — look at our stock market today. Where is the 
growth? Where is the faith in the investors? It is in these Internet 
stocks. What you are talking about is a threat to that foundation 
in order to make sure the government has the power to snoop. Yes, 
we need certain powers in the hands of the government to tackle 
the bad guys. But, as I say, I don’t see this as any type of threat 
to the bad guys because the bad guys will be the ones to get it and 
the good guys will be the ones who follow the law. 

Here is my question. That is my statement. Here is my question? 
I want to ask Mr. Lee this. Now your title, Mr. Lee, is what? 

Mr. Lee. I am an associate deputy attorney general at the De- 
partment of Justice. 

Mr. Rohrabacher. For? 

Mr. Lee. The titles don’t actually say for X or Y, but I work in 
part on national security and international matters. 

Mr. Rohrabacher. Was it you or your office that denied the ef- 
fort to get a wiretap on the suspect in the Los Alamos theft? 

Mr. Lee. As other officials of the Department of Justice have tes- 
tified, there is a process set up where the counsel for the Office of 
Intelligence, Policy, and Review reviews requests from the FBI for 
that kind of search warrant. 

Mr. Rohrabacher. Yes. So was it you or your office that denied 
that request for a search warrant for a wiretap? I understand that 
Mr. Lee who was the suspect in the case was the only wiretap that 
was denied. Is that from your office? 

Mr. Lee. Again — sir, I was not involved in that decision. 

Mr. Rohrabacher. Was that your office? 

Mr. Lee. There has been public testimony which, again, I don’t 
have the transcript in front of me, so I want to be careful not to 
be inaccurate in any respect, but there has been public testimony 
that the Attorney General asked a member of the deputy attorney 
general’s office to review that matter. That was not me. I don’t 
have any further firsthand information. 

Mr. Rohrabacher. That wasn’t my question. Was it your office? 
You are the head of an office. Was it your office that denied that 
request? 

Mr. Lee. Again, the public testimony is that the prior incumbent 
of my office had a role in evaluating that request. I do not have 
firsthand information and so I don’t think it would be appropriate 
for me to try to characterize it any further. 

Mr. Rohrabacher. I will take that as a yes. Let me suggest, as 
I did in my opening statement, when you have a wrong headed Ad- 
ministration that has wrong headed policies toward people who are 
hostile to the United States of America, no matter what we do on 
this encryption, no matter what powers that we grant to the gov- 



39 


eminent, we are not going to be safe. I feel, in fact, very hesitant 
to grant the type of enormous powers, as we come into this new 
age of electronics and computers, to grant this enormous power to 
the Federal Government, especially one that is represented by an 
Administration that is totally going the wrong way on national se- 
curity issues. 

With that, I yield back my time. 

Ms. Ros-Lehtinen. Thank you. Mr. Cooksey. 

Mr. Cooksey. Thank you. Madam chairman. Earlier today, I be- 
lieve there was a question about the effect of H.R. 850 on local law 
enforcement. It was mentioned that there was concern about this 
effect. 

I have a letter here from the Louisiana Sheriffs’ Association spe- 
cifically endorsing H.R. 850 and rejecting the escrowing of the 
encryption keys. I will ask this question of any one of you that is 
willing to answer it. Can anyone explain to me why the sheriffs in 
my area are not concerned about the effect of this bill? I will take 
a response from any one of you or all of you. 

Mr. VoEGTLiN. I can’t speak to the rationale of the Louisiana 
Sheriffs’ Association. Perhaps if you talk to folks at the National 
Sheriffs’ Association, they would be able to fill you in. I can’t speak 
to their concerns. I know, on behalf of my membership, the 17,000 
members that make up the lACP, that they have expressed, both 
through numerous Committee hearings and numerous membership 
resolutions that have been passed, that they are very concerned 
about this issue and its impact on their ability to perform at the 
State and local level. I can’t answer for the sheriffs. 

Mr. Cooksey. Would anyone else like to try? In their resolu- 
tion — and I will read a couple of them — they said the legislation 
proposed by the FBI would require all users of an encryption to de- 
posit a key with a key escrow agent that would be available to FBI 
access. The FBI access would create and maintain a dangerous and 
unnecessary vulnerability to Louisiana’s information computer in- 
frastructure while failing to offer any increased level of protection 
these systems require. While the FBI’s efforts toward recovering in- 
formation about criminal cases through high security encryption 
are well-intentioned, the key escrow plan poses too many severe 
threats to public safety, confidentiality, and legitimate computer 
users that far outweigh the isolated benefits it may provide. 

There is another resolution. Does anyone want to answer it now? 

Mr. Lee. Sir, it is hard to answer without having read the letter 
which I have not had the benefit of doing. Again, the Administra- 
tion is not proposing some massive central data base where every- 
one’s keys would be kept. We have been quite clear and consistent 
that, really, a variety of private agents who would be serving peo- 
ple’s whole range of security services for business needs is what is 
envisioned and that is what we want to work with industry on de- 
veloping. One of the needs that we think this set of services will 
have to address is the needs that businesses have for the recovery 
of their information and plain text. 

Mr. Cooksey. Do you think each one of those could be subject 
to hackers, to being broken into? Is that possible? 

Mr. Lee. It is certainly possible. 



40 


Mr. Cooksey. Is it probable? I see someone out in the audience 
shaking their head yes. 

Mr. Lee. I don’t have the information to answer that, sir. 

Mr. Cooksey. Let me just state that I feel very strongly on law 
enforcement. I have a very close working relationship with law en- 
forcement people in our area. We have some real professionals, par- 
ticularly some people from the Department of Justice, the FBI. We 
have got some top people. But I quite frankly don’t feel that you 
see the same level of loyalty to the principles of law enforcement 
in some of the political appointees in your Department and it is 
really a disappointment to me. 

I am not a career politician. I am a physician. I don’t want to 
be a career politician and I quite frankly hold a lot of the politi- 
cians in real contempt because of the inconsistencies I see. Here I 
see the potential for some more inconsistencies, but, that said, 
thank you. Madam chairman. 

Ms. Ros-Lehtinen. Thank you so much. Mr. Campbell. 

Mr. Campbell. Madam chair, out of courtesy to the next panel 
and the fact that I haven’t heard all of the testimony, I will yield 
and thank you and thank the panel. 

Ms. Ros-Lehtinen. Thank you so much. I will also furnish my 
questions in writing in courtesy of the second set of panelists. But 
we thank you very much for your patience and we appreciate you 
being with us today and we will look forward to continuing this 
dialogue as this bill goes through the process. Thank you so much 
to all of you. 

I would like to introduce the second set of panelists. We will 
start with Ira Rubinstein, who is senior corporate attorney for 
Microsoft Corporation. Prior to joining Microsoft, Mr. Rubinstein 
was an associate with different law firms and is currently a Mem- 
ber of the President’s Export Council Subcommittee on Encryption 
and serves on the Steering Committee for Americans for Computer 
Privacy. Mr. Rubinstein is the author of numerous publications ad- 
dressing export controls and encryption software. 

Mr. Jeffrey Smith is a partner at the firm of Arnold and Porter 
in the firm’s Legislative and Government Contracts Practices Divi- 
sion and serves as general counsel for Americans for Computer Pri- 
vacy. From 1995 to 1996, he served as general counsel of the Cen- 
tral Intelligence Agency. Prior to that, he was appointed by then- 
Secretary of Defense William Perry to the Commission to Review 
the Roles and Missions of the Armed Services. Mr. Smith has also 
served in various capacities within Congress, including general 
counsel of the Senate Armed Services Committee. 

David Weiss is Vice President of product marketing at CITRIX 
Systems. In this capacity, he is responsible for mapping the com- 
pany’s long-term product strategy and direction. He was instru- 
mental in the release of the industry’s first Windows application 
and launching Internet technology and, prior to joining the firm, he 
was a founding Member and Director in marketing for Business 
Matters, Inc., a financial modeling software company. This corpora- 
tion, CITRIX, I am proud to say is located in my hometown of 
South Florida and we are happy to have David with us today. 
Thank you. 



41 


Mr. Alan Davidson is the Staff Counsel for the Center for Democ- 
racy and Technology, a nonprofit, Washington-based organization 
that works to promote civil liberties on the Internet. Mr. Davidson 
is currently leading the efforts to promote encryption policies that 
protect privacy and, prior to joining the legal profession, Mr. David- 
son was a computer scientist. He worked as a senior consultant 
and designed the information systems for NASA’s space station 
freedom projects. He also worked on technology and policy issues 
at the U.S. Congress Office of Technology Assessment. 

Ms. Dinah PoKempner is the Deputy General Counsel of Human 
Rights Watch, one of the largest human rights monitoring organi- 
zations in the world. Ms. PoKempner has performed field research 
in Cambodia, Vietnam, Hong Kong, Bosnia, and Croatia for the or- 
ganization and currently directs institutional policy in various 
areas, including electronics, communications, and international 
law. 

Mr. Edward Black is the President and CEO of the Computer 
and Communications Industry Association, an international trade 
association comprised of leading computer, communications, and 
networking equipment manufacturers, software providers, tele- 
communications, and online service providers. Prior to being named 
president in earlier 1995, he served as vice president and general 
counsel for CCIA since the mid-1980’s. He currently serves as the 
Chair of the State Department’s Advisory Committee on Inter- 
national Communications and Information Policy. 

We thank all of you for being here today. We will be glad to put 
all of your statements in the record and we ask you to please be 
as brief as possible. 

Mr. Rubinstein. 

STATEMENT OF IRA RUBINSTEIN, SENIOR CORPORATE 
ATTORNEY, MICROSOFT CORPORATION 

Mr. Rubinstein. Good afternoon. Madam chairman. I greatly ap- 
preciate the opportunity to appear today before the Committee on 
behalf of Microsoft and the business software lines of BSA. I espe- 
cially wanted to thank you. Madam chairman, for your support of 
the SAFE Act in this and prior Congresses. I also want to thank 
the other Committee Members who cosponsored the bill this year. 

American software and hardware companies have succeeded be- 
cause we have responded to the needs of computer users world- 
wide. One of the most important features users are demanding is 
the ability to protect their electronic information and communica- 
tions securely. American companies have innovative products that 
can meet this demand and compete internationally, but there is 
one thing in our way: the continued application of over broad and 
restrictive U.S. export controls. 

BSA strongly supports the SAFE Act because it modernizes and 
liberalizes U.S. export controls. We urge the Committee to report 
the SAFE Act without amendment and we look forward to its pas- 
sage in the House this year. 

I want to emphasize three points today. First, any effort to con- 
trol mass-market products based on key lengths is doomed to fail- 
ure. Eight years ago in a 1991 study, the National Academy of 
Science discussed the nature of mass-market software and the fu- 



42 


tility of trying to control it. The NAS concluded, “The widespread 
availability of such software, coupled with its difficulty of detection 
and ease of reproduction makes any attempts at controls impos- 
sible,”. 

These observations and conclusions were true in 1991 and re- 
main true today. If anything, they are even more true, given the 
rise of the Internet and the other means for electronically distrib- 
uting software to mass-market customers on a worldwide basis. 
The addition of encryption functionality to mass-market products 
does not somehow alter these characteristics. Products that are not 
controllable at 56-bit key length do not become controllable at 
longer key lengths. 

My second point is that export controls create competitive advan- 
tages that foreign firms have been very successful in exploiting. 
Their entry point is U.S. export controls. Because U.S. firms are 
unable to satisfy customer demand for 128-bit encryption, non-U. S. 
firms create and freely distribute so-called step-up software whose 
sole purpose is to increase the key lengths of U.S. products from 
40 bits or 56 bits to 128 bits. At the same time, these foreign firms 
develop powerful service software and related applications for 
Internet banking, e-commerce, and secure messaging. They also de- 
velop consulting expertise to service key customers such as banks, 
ISP’s, telcos and online merchants. These are all the pieces needed 
to offer a complete package of 128-bit encryption to foreign cus- 
tomers and U.S. firms can’t compete with this. 

This approach has spawned several of the fastest growing and 
most successful non-U. S. software firms focusing on the Internet 
market. In the interests of time, I will just highlight one of them, 
a firm called Baltimore Technologies, which is an Irish company 
which recently merged with Zergo, a U.K. company, and now offers 
a complete line of e-commerce and enterprise security products. At 
this point, I would like to show you exactly how Baltimore markets 
its products over the Internet. 

[Slide.] 

These slides, these are slides of what you would see if you visited 
their web site. It is not a live connection, in the interests of making 
it go quickly. The first page is their homepage. You see in the 
upper lefthand corner that it is the Zergo homepage and it lists 
products and services and other information that you can find 
there. 

[Slide.] 

The next page includes in its marketing materials the very state- 
ment of the problem that we are here today to discuss. I will read 
it quickly. “U.S. export restrictions dictate that most web service 
and browsers cannot perform 128-bit encryption for security. In- 
stead, export versions of browsers, like Internet Explorer and 
Netscape Navigator and export versions of web servers like 
Netscape Enterprise Server and Microsoft Internet Information 
Server, are limited to 40 bits of encryption, which is not secure 
enough for most applications.” So here is the marketing material 
of a very successful foreign firm citing U.S. export controls. 

The success of these foreign companies threatens the growth of 
U.S. software firms and their contribution to the U.S. economy. It 
also threatens American technological leadership, the loss or dimi- 



43 


nution of which directly threatens U.S. national security and law 
enforcement objectives as well. 

Let me conclude with a final point and that is that the SAFE Act 
strikes the right policy balance by promoting the use of encryption 
for several purposes: to prevent crime by protecting sensitive com- 
munications data; to promote national security by protecting the 
nation’s critical infrastructure; to protect e-commerce; and to pro- 
tect individual privacy. Thank you, Madam chairwoman. 

Ms. Ros-Lehtinen. Thank you so much for your testimony. Mr. 
Smith. 

STATEMENT OF JEFFREY SMITH, GENERAL COUNSEL, 
AMERICANS FOR COMPUTER PRIVACY 

Mr. Jeffrey Smith. Thank you, Madam chair, and Members of 
the Subcommittee for the opportunity to testify on H.R. 850, the 
SAFE Act, sponsored by Representatives Goodlatte and Lofgren 
and cosponsored by a bipartisan group of over 250 House Members. 
I serve as counsel to the Americans for Computer Privacy, a coali- 
tion of 3,500 individuals, 40 trade associations, and over 100 com- 
panies representing a wide range of companies. We support policies 
that allow strong encryption and we specifically endorse the enact- 
ment of the SAFE Act and we respectfully urge the Subcommittee 
to report it without amendments for full Committee consideration. 

As Vice President Core said in September 1998 when he an- 
nounced the current Administration policy, developing a national 
encryption policy is one of the most difficult issues facing the coun- 
try. It requires balancing many competing objectives, all of which 
are of great importance to the nation. Strong encryption is essen- 
tial to protecting our Nation’s infrastructure, ensuring the privacy 
of electronic communications, protecting our national security in- 
terests, safeguarding the public, and maintaining U.S. leadership 
in the development of information technology. 

The challenge is how to do that. The question this Subcommittee 
must address is what is the best policy to achieve these objectives? 
It is the firm view of AGP and its Members that, given the breath- 
taking pace at which information technology, including cryptog- 
raphy, is developing around the globe, the only way to achieve 
these goals, in the long run, is to adopt policies that will assure 
American industry continues to lead the world in information tech- 
nology. 

It is often said that the first responsibility of government is na- 
tional defense and it seems to us that the President, Congress, and 
industry collectively have a responsibility to ensure that in the fu- 
ture our law enforcement and intelligence agencies have the ability 
to continue to protect this nation as they do today. Indeed, they 
will probably need additional resources and technical help to meet 
the challenges of the next century. But those challenges are far 
greater if they are forced to face a world in which the majority of 
communications pass-over systems that are foreign-designed, for- 
eign-built, foreign-installed, and incorporate foreign encryption. We 
are concerned that the current policy of this government risks just 
such an outcome. 

We have worked hard over the last couple of years with the Ad- 
ministration to help fashion its new policy and we are grateful for 



44 


the new policy, but we think further steps are needed and we urge 
the enactment of the SAFE Act. With that, I will yield the rest of 
my time. Madam chairman. 

Ms. Ros-Lehtinen. Thank you so much. We appreciate it, Mr. 
Smith. 

Mr. Weiss. 

STATEMENT OF DAVID WEISS, VICE PRESIDENT OF PRODUCT 
MARKETING, CITRIX CORPORATION 

Mr. Weiss. Thank you. I will try to be as brief. Good afternoon. 
Madam chairwoman, and greetings from the Sunshine State, and 
Members of the Subcommittee, thank you for the opportunity to 
speak with you this afternoon regarding this important topic. My 
name is David Weiss. I am the Vice President of product marketing 
for CITRIX. 

Ms. Ros-Lehtinen. Now, because you are a constituent, take all 
the time you like. 

Mr. Weiss. Thank you very much. I am pleased to be testifying 
this afternoon on behalf of the Software Information Industry Asso- 
ciation, SIIA, the result of a merger between the Software Pub- 
lishers’ Association and the Information Industry Association. SIIA 
represents 1,400 member companies engaged in every aspect of 
electronic commerce and has long supported efforts to liberalize 
encryption export controls and H.R. 850, the SAFE Act. 

CITRIX is the worldwide leader in server-based computing. Our 
products enable individuals to access applications which are run- 
ning on their corporate networks while traveling at home or from 
anywhere in the world. Since 1989, we have worked hard to ensure 
that we provide cost-effective products to allow businesses to de- 
liver access to their mission-critical applications to their employees 
and partners reliably and efficiently. Our products allow companies 
and organizations to share their corporate network resources with 
all of their employees, regardless of their physical location. 

In today’s fast-paced economy, companies must be able to com- 
municate and share information with their employees securely. 
Companies like mine have worked hard to develop technology and 
products that meet these critical needs, providing both individuals 
and businesses with the tools they need to remain competitive. 
Encryption has become a requirement for the technologies we de- 
veloped. Without these capabilities, we cannot assure customers 
that our products incorporate reliable security to protect their cor- 
porate communications and proprietary information. Encryption 
helps individuals and businesses meet the challenges that we face 
in the online environment, while assuring that we are able to take 
advantage of its key benefits. 

CITRIX products enable communications and information shar- 
ing, usually within a company and generally involving vital appli- 
cations. For most of our customers, the ability to communicate pri- 
vately with business colleagues is critical. Many use CITRIX prod- 
ucts to share sensitive information and require our products to pro- 
tect that data from misappropriation by unauthorized parties or 
misuse by otherwise authorized but negligent or malicious parties. 

Encryption is the only practical means by which parties to an on- 
line communication can trust that each is who he claims to be and 



45 


that the information is only available to its intended recipients. It 
is the only practical way to guarantee that the communication be- 
tween those parties remains protected. Such capabilities are crit- 
ical for both businesses and individuals seeking to take advantage 
to use the Internet. Without robust tools, no one can be assured 
that their online activities remain private and that their online 
transactions are trustworthy. 

Companies are rapidly developing innovative technologies and 
applications for use on public networks and users are just rapidly 
integrating these capabilities into their everyday lives. To ensure 
that this market continues to grow, consumer concerns like secu- 
rity, authentication, and privacy must be addressed. Without 
encryption, we simply can’t do it. We must be able to use and wide- 
ly deploy encryption if we are to help users protect against the in- 
herent vulnerabilities of public networks. In order for our cus- 
tomers to be able to communicate securely, our products offer a va- 
riety of encryption technologies, some of which cannot be exported 
under the current regulations. 

The impact on our company and all of U.S. industry is signifi- 
cant. Companies are forced to choose between incorporating 
encryption into their products to meet the consumers’ requirements 
or creating multiple product lines. If the company does not incor- 
porate the strong security features that so many businesses de- 
mand, their products will fail in the marketplace. If the manufac- 
turer does choose to incorporate strong encryption, it forgoes the lu- 
crative foreign marketplace and many companies, especially many 
young Internet startup firms that are shaping the electronic com- 
merce marketplace cannot afford to create multiple product lines. 

Given the time constraints, I just want to say that on behalf of 
CITRIX and the SIIA, we strongly endorse H.R. 850 and I will 
yield the rest of my time. 

Ms. Ros-Lehtinen. Thank you so much, David. To the panelist 
and our Congressional Members and our visitors, I have asked that 
Congressman Campbell be kind enough to Chair the remainder of 
the hearing. I have to go to the Floor and await my turn to speak 
on the Central America aid package so I have read your testimony 
and I look forward to sending you some questions in writing. 
Thank you so much. Thank you, Tom. 

Mr. Campbell, [presiding] Mr. Davidson. 

Mr. Davidson. 

STATEMENT OF ALAN DAVIDSON, STAFF COUNSEL, CENTER 
FOR DEMOCRACY AND TECHNOLOGY 

Mr. Davidson. Thank you. Good afternoon and I would like to 
thank you for this opportunity to testify in front of the Sub- 
committee on behalf of the Center for Democracy and Technology. 
CDT has supported the SAFE Act since it was first introduced in 
the 104th Congress. While we are pleased to be here testifying once 
again in front of this Subcommittee, it is unfortunate that we are 
here making many of the same arguments that we were making 2 
years ago. I would like to take the chance to thank the Chair and 
Mr. Goodlatte and the other sponsors of the SAFE Act and sup- 
porters of the SAFE Act for their continued support for privacy on- 
line. 



46 


I would like to make, briefly, three quick points today. The first 
is that the current U.S. policy harms personal privacy, that U.S. 
policy is failing in the international marketplace and that it is time 
to move on because a new, more comprehensive encryption relief 
package like SAFE offers is ultimately going to be better for public 
safety and individual privacy. 

CDT is here today because current U.S. policy does violence to 
our constitutional liberties here in the United States and to indi- 
vidual privacy around the world. We live in an era of eroding per- 
sonal privacy where more and more of our personal data is avail- 
able in electronic form and particularly on the Internet. Encryption 
is the essential tool to protecting the security of our data in this 
open, decentralized, global network. The U.S. export controls keep 
people from getting the encryption they need and protecting their 
privacy online. Most directly, export controls limit the availability 
of good, U.S. encryption products around the world, particularly in 
the mass-market products that most individuals use. 

Export controls also affect the security of people in the United 
States when they communicate abroad with people who don’t have 
access to those strong products. Finally, encryption products affect 
the security of the infrastructure by dumbing down our security in- 
frastructure and keeping us from making encryption something 
that is easily available to people around the world, including in the 
United States. In summary, encryption leaves us in the worst of 
both worlds. Sophisticated criminals, terrorists, rogue governments 
have access to it, but law-abiding individuals do not have security 
and privacy protected by the tools that they need. 

The second point I wanted to make was that U.S. encryption pol- 
icy is failing in the international arena. We were told 2 years ago 
that the world was on the verge of adopting key recovery and ex- 
port controls. In fact, the marketplace has failed to embrace key re- 
covery. The world community has failed to embrace export controls 
and key recovery as well. In fact, as we have heard in testimony, 
many countries, including countries like Ireland, Canada, and Fin- 
land, are moving in the opposite direction. Even some of the 
staunchest U.S. allies, the U.K. and France, have failed to com- 
pletely embrace U.S. encryption policy. 

U.S. encryption policy is failing in the courts. Just earlier this 
month, the Ninth Circuit Court of Appeals found that export con- 
trols on encryption source code were unconstitutional violations of 
the First Amendment. The court ruled that these were prior re- 
straints on free expression that rest boundless discretion in govern- 
ment officials. I think that the court recognized something that the 
Administration hasn’t, that you can’t stop the spread of ideas at 
the border and that especially you can’t do it without doing vio- 
lence to our First Amendment. 

I think it is time for our U.S. encryption policy to move on. We 
are setting the ground rules today for how much privacy people 
will have as they move their lives online. On balance, we believe 
that strong encryption both serves individual privacy and protects 
public safety and that kind of change is not going to happen with- 
out your help. While we remain concerned about certain criminal 
provisions in the SAFE Act, we believe that, on the balance, the 
bill is a dramatic step forward for individual privacy and public 



47 


safety and I would encourage you all to support its rapid passage 
without any weakening amendments. 

Mr. Campbell. Thank you, Mr. Davidson. 

Ms. PoKempner. 

STATEMENT OF DINAH POKEMPNER, DEPUTY GENERAL 
COUNSEL, HUMAN RIGHTS WATCH 

Ms. PoKempner. Thank you. I appreciate very much the oppor- 
tunity to come before this Committee. I am Dinah PoKempner, dep- 
uty general counsel of Human Rights Watch, one of the largest 
human rights research and reporting organizations in the world. 
We have used encryption for many years and I am going to present 
two examples from my testimony. There has been a great deal of 
discussion at this hearing about, on the one hand, the economic in- 
terest inherent in encryption and, on the other hand, law enforce- 
ment and national security. 

I am going to tell you a little bit about human rights applications 
of encryption and, in particular, dwell on two examples. Now the 
Internet revolution changed human rights advocacy dramatically. 
We can now report on things in real-time. We can reach massive 
audiences very inexpensively and really mobilize popular opinion 
and action as never before. But we have a problem. Electronic com- 
munications are inherently insecure and this can have deadly con- 
sequences for human rights activists. Every year, human rights ac- 
tivists are attacked, jailed, disappeared, and killed. We document 
this in our world report. In 1998, we counted 10 such killings be- 
fore the report went to press. 

So, for this reason, our researchers routinely use encryption 
when they are in dangerous places like Bosnia, China, Lebanon, 
Rwanda, Kashmir, Hong Kong, and Belgrade. I am going to give 
you a couple of examples. We have had a researcher who was ar- 
rested last year in the Kinshasa airport and detained for 24 hours 
while guards threatened to beat him. Eortunately, all of his re- 
search was encrypted. By the way, he was on a human rights in- 
vestigation mission for which he had obtained a visa. It was per- 
fectly transparent and obvious what he was doing. Yet, the govern- 
ment arrested him to get his information. Eortunately, because he 
felt secure his information was safe, he was able to delay until his 
release could be secured. 

We have a situation where the lack of security produced abso- 
lutely devastating consequences. Eor example, last year in April, a 
Member of the United Nations Secretary General’s investigation 
team who went to gather evidence of massacres of Rwandan refu- 
gees in the eastern part of what was then former Zaire was ar- 
rested when he returned to Kinshasa. The Congolese authorities 
meticulously copied his research notes, as well as maps and reports 
that had been given him by local human rights activists. This infor- 
mation set off a man hunt for all of this official’s informants. Many 
of these human rights activists had to go underground to emerge 
later as refugees and one, Galilean Ntirivamunda, has disappeared 
and is presumed dead. 

In contrast, our researcher, who had gone the year before, took 
pains to every night burn his notes after he had typed them into 
his lap top, encrypted them, and transmitted them. So, as this ex- 



48 


ample might give you an idea, global access to strong encryption 
is vital, not just access for United States residents and citizens. 

I am going to give you one more example that will point out some 
of the problems that export controls can bring up and that is what 
is going on in Kosovo. It is very difficult. The strong encryption is 
available right now, but it is really difficult to master it, download 
it, familiarize yourself, and exchange keys when you are in the 
middle of a war. That is what is going on right now in Kosovo. Peo- 
ple who want to report abuses can’t communicate securely. The 
Serbian government is believed to have sophisticated Russian tech- 
nology that enables them to crack code. 

So privacy advocates teamed up with a private company called 
the Anonymizer to create a gateway that allows people living in 
former Yugoslavia to access the Anonymizer and, through the 
Anonymizer, have confidential and encrypted communications. But 
there is a problem which one of the other panelists alluded to. If 
you have a browser that is export strength, this is not secure. Your 
communications can be intercepted. So you have to still do yet an- 
other step of going to another site, downloading yet more software 
to upgrade your browser. It still doesn’t solve the problem of secure 
communications in the most difficult circumstances, in crisis situa- 
tions. 

This is what I wanted to point out is that export controls, among 
other things, inhibit the development of products that would be 
most useful to human rights activists. That is, mass-market strong 
encryption that is ubiquitous, that is built-in, that is easy-to-use, 
that you don’t have to be a computer expert or adept to use. I am 
certainly not one and most human rights activists aren’t adept ei- 
ther. 

I am going to end that with the thought that when we talk about 
the kinds of policies the United States is going to adopt, it is going 
to be looked at as a global leader. It is going to be looked at as a 
model. Will we adopt policies that will allow our government to 
continue to protest abuses of human rights advocates and suppres- 
sion of human rights abuses? Are we going to hold encryption hos- 
tage to the fear of sophisticated terrorists and criminals who are 
going to use it no matter what the legality is and then deprive law- 
abiding citizens and human rights activists of its benefits. 

I will just finish by saying that what I would like you to keep 
in mind is that what is at stake is more than just our market 
share, more than abstract principles of privacy and free expression 
against, say, the tangible reality of terrorism. There are actual 
lives of human rights advocates at stake and that is what I would 
like you to keep in mind. 

Mr. Campbell. Thank you very much. I only regret that the Ad- 
ministration spokespersons are not here to listen to you as you lis- 
tened to them. 

Mr. Black. 

STATEMENT OF ED BLACK, PRESIDENT AND CEO, COMPUTER 
AND COMMUNICATIONS INDUSTRY ASSOCIATION 

Mr. Black. Thank you for the opportunity to testify before you 
today and I apologize for my not-yet-disappeared laryngitis. 
Encryption is a subject of vital importance to the members of the 



49 


Computer and Communications Industry Association and to all of 
our industry. I have to take a quick aside and say as a citizen, 
however, I think Dinah’s comments are just so right-on and that 
is a key part of this that we should never focus on. We will focus 
on the business aspects, but it is hard not to think of the impor- 
tance to freedom and democracy of real meaningful encryption 
available to people around the world. 

Like the current key recovery requirements, the Administration’s 
original Clipper Chip proposal would have mandated that all 
encryption products contain a back door for law enforcement and 
national security agencies to give them access to the plain text of 
any communication or computer file upon request. Not surpris- 
ingly, CCIA members continue to oppose the Administration’s pol- 
icy, as do most of the high-tech industry, most of the broader busi- 
ness community, and privacy groups. The Administration sup- 
porters on the Hill, we think, are also few and dwindling in num- 
ber. 

Because of CCIA’s members support for the SAFE bill, which we 
think is an excellent bill which we congratulate Mr. Goodlatte and 
Congresswoman Lofgren on, we believe that it is possible that — we 
will use the word “proliferation” — proliferation of encryption is 
going to happen, is important to happen. We think the use of 
strong encryption around the world is essential to reaching the full 
potential of electronic communications and commerce. We all recog- 
nize that the relaxation of encryption export restrictions is of crit- 
ical importance if we are to fully realize the information age we 
have just entered. 

I want to address quickly the Administration’s contention that it 
does not control or seek to control domestic use or sale of 
encryption. The National Security Agency has testified on numer- 
ous occasions that the full implementation of the Administration’s 
key recovery plan would have no impact on their ability to carry 
out their national security mission. The only logical inference is 
that the key recovery export policy is designed to benefit domestic 
law enforcement agencies while avoiding the political and constitu- 
tional pitfalls of direct domestic restrictions. 

Another fallacy of the government’s policy is that the United 
States has some monopoly on the science of crypto^aphy or the 
production of encryption tools. This is hard to justify in light of the 
government’s own efforts to replace the current DES encryption 
standard with a new advanced encryption standard, AES. Of the 
15 logarithms submitted in the NIST competition, 10 were from or- 
ganizations outside of the United States, including countries such 
as Australia, Belgium, Canada, Costa Rica, England, France, Ger- 
many, Israel, Japan, and South Korea. At least half of the five fi- 
nalists are likely to be foreign competitors and it is very possible 
that the next U.S. Government standard for encryption will be de- 
signed outside of our borders. 

To further illustrate the international nature of this industry and 
the futility of our export controls, let me give you an example of 
how the Administration policy has affected just one of our member 
companies. Integrity Solutions is one of the world’s leading vendors 
of secured application technologies. They are based in San Jose, 
California. Because of our export laws, nearly all of their recent 



50 


growth in staffing and development has been in overseas locations 
in Sweden and the United Kingdom. This was not by design. They 
originally only intended to be based in the U.S. and Sweden, but 
it was a response to the continued restriction of U.S. exports on 
encryption. 

Later this month, it will announced that Integrity, its partner- 
ship with Major Systems Integrators, will be awarded a contract 
for all certificate authentication technology for the Special Adminis- 
trative Region of Hong Kong. They expect that this contract will 
reap millions of dollars in annual revenues and eventually expand 
to include other Asian nations. Unfortunately, none of the revenue 
will come to the United States and none of the jobs that this con- 
tract will create will go to Americans. Because of our export laws, 
all of these products and services will be shipped out of the United 
Kingdom division. Had the contract not gone to Integrity, it would 
have gone to an Irish company, which would have been the alter- 
native winner of the contract. 

My question is: How does our current policy support important 
U.S. interests? We are driving American companies and jobs over- 
seas and driving their customers to foreign competitors without 
any significant impact on our national security or law enforcement 
capability. It is just nonsense. 

I wish that I could say that if we experienced further relaxations 
in export controls or even enacted The SAFE bill, we would some- 
how regain these lost jobs and revenue; however. Integrity has al- 
ready established a critical mass of overseas presence. They are be- 
yond the point of no return. They will continue to derive a majority 
of the revenue and experience nearly all of their growth in foreign 
countries regardless of what we do to our laws. I can only hope 
that we take quick action to prevent this scenario from becoming 
even more common and repeated over and over again until we 
reach the point where a huge portion of this industry has migrated 
overseas. Chairman, Members of the Committee, thank you again 
for the opportunity to testify today. 

Mr. Campbell. Thank you, Mr. Black. The first questioner will 
be Mr. Goodlatte. 

Mr. Goodlatte. I thank you, Mr. Chairman, and I would like to 
echo your observation that it would have been very helpful if the 
Administration’s witnesses had been here to hear this excellent tes- 
timony and, not only that, but the members of the media. I think 
that the intensity of the debate has gone out of the hearing because 
I think we are in great agreement with what you have to say. 

I would like to ask you about some of the points that were made 
by the Administration witnesses. First, they made the statement 
that this legislation would not be in compliance with the 
Wassenaar agreement. I would note that the Wassenaar agreement 
has never been ratified by the U.S. Senate. It is purely a voluntary 
effort of the Administration only, but it seems to me that the way 
it is drafted the legislation, which provides for an application of ex- 
port controls in real national security instances, does comply. I 
would ask first, perhaps, Mr. Rubinstein if he would comment on 
the impact of this legislation on the Wassenaar agreement. 

Mr. Rubinstein. I think the earlier testimony was that it vio- 
lated Wassenaar by not having adequate review provisions and I 



51 


think that is an incorrect reading of the SAFE Act. There is a pro- 
vision in all of the key export control sections allowing for technical 
review of products prior to export and I think that is the key re- 
quirement. If there is any difference, really, between the SAFE Act 
and the positions that have already been taken by some of the for- 
eign countries that are signatories of the Wassenaar arrangement, 
it is that the SAFE Act requires review, but then, otherwise, does 
not restrict export. 

What other countries have done in technical compliance with the 
Wassenaar is to simply impose a licensing requirement, but that li- 
censing requirement is one that says strong encryption may be ex- 
ported under general license. So that is, I think, a very limited 
form of compliance and hardly achieves the results that were 
trumpeted when this announcement was first made, namely that 
it levels the playing field. All it really does is allow these other 
countries who already have strong encryption vendors in their ju- 
risdictions to comply in appearance by saying there is a general li- 
cense requirement, but then the companies are able to export the 
same products they did prior to that arrangement. 

Mr. Goodlatte. Anyone else? Mr. Black? 

Mr. Black. I will pass. I will take some other questions, but, for 
the moment 

Mr. Goodlatte. Anyone else care to comment on that? If not, let 
me go on to the next — Mr. Davidson. 

Mr. Davidson. Just to say that I think our reading is very much 
the same that it certainly seems that SAFE, on its face, does not 
necessarily come into conflict with Wassenaar, both in letter and 
in spirit. That I think that it was particularly interesting to me 
that Ms. McNamara was careful to say that Wassanaar merely per- 
mits nations to adopt export controls. It does not necessarily re- 
quire them to adopt export controls and are reading is that SAFE 
does not violate either the letter or the spirit of Wassenaar. 

Mr. Black. Maybe if I could take my turn and just respond. We 
have a long experience in the Association of export controls and ev- 
erything from computers to telecom. We have a lot of experience 
with what national discretion means. What we think the adoption 
of your legislation here would in fact put us in the position that 
for decades every other country was in, which we would have a 
standard which might be a little saner and less restrictive than 
other countries. We think it would be very consistent with certainly 
what is the spirit of Wassenaar as it will be interpreted by most 
other countries, which is they are going to go off and sell whatever 
they want without any restrictions. So certainly the spirit, we 
think, would be complied with. 

Mr. Goodlatte. Thank you. The Administration’s witnesses 
seemed to be divided into two camps: Law enforcement folks con- 
cerned about recoverable encryption — and I think we have pretty 
well addressed that. The questions asked of that panel. Why that 
will not work. Although we failed to mention the enormous cost of 
it. The cumbersome, perhaps even unworkable nature of having a 
system where billions of keys are stored by somebody under some 
very costly and bureaucratic system. 

But the other issue wasn’t touched on as much. That is that the 
National Security folks seemed to be concerned about the imme- 



52 


diate decontrol — the words used by Barbara McNamara — and I 
think the effort on their part seems to be to delay the implementa- 
tion of strong encryption, and I wonder if you might comment on 
the effect of such a delay. Mr. Smith. 

Mr. Jeffrey Smith. I will take that one if I may. It is our sense 
that NSA is aware that sooner, perhaps rather than later, they will 
face a world of ubiquitous encryption perhaps produced outside the 
United States. I cannot speak for them, but my guess is that they 
recognize that and are hoping that delay will somehow permit the 
market to develop in such a way that it permits them to continue 
to do what they do. 

Our concern is that, as I said in my statement, the current policy 
is driving us much more rapidly toward a world where there is, in 
fact, ubiquitous encryption, but it is not ours. I think the con- 
sequence of that for the nation, for everything that we are trying 
to achieve, is quite substantial and is why the SAFE Act is, in our 
view, such an important vehicle. 

Mr. Goodlatte. Thank you, Mr. Chairman. 

Mr. Campbell. Thank you, Mr. Goodlatte. The Ranking Member 
of the Committee, the gentleman from New Jersey. 

Mr. Menendez. Thank you, Mr. Chairman. I want to thank the 
panel. I had to step out for a few minutes, but maybe you can help 
me. I was glancing through some of your written testimony of that 
which I may have missed. Is it fair to say that the synthesis of 
your respective testimonies is that, in fact, what I was asking the 
previous panel in terms of what can you really control here at the 
end of day, that the consensus is, I think Mr. Smith has just said, 
that this is available. It is available outside. It is available domesti- 
cally. It is available abroad. Ultimately, all those who wish to have 
access for the purposes of doing that which the previous panel is 
concerned about presently have that access right now. Is that a fair 
statement? 

Mr. Black. Yes. 

Mr. Jeffrey Smith. Yes. 

Mr. Weiss. Yes. 

Mr. Davidson. Yes. 

Mr. Rubinstein. Absolutely. 

Mr. Menendez. Second, could you — any of you who choose to do 
so — quantify the potential loss this year if we do not move in a 
manner that would, for example, on Mr. Goodlatte’s legislation, the 
regime that would be established there, if we don’t move in that 
direction, what are the potential losses to American companies? Do 
you have any sense of quantifying that? 

Mr. Weiss. I can take a very small attempt, looking internally 
at my own company. We are a relatively small software company 
at $250 million. While encryption has not been a significant issue 
in the first 7 years of our existence, over the past 3 it has been and 
I would quantify our loss last year due to our inability to either de- 
velop or supply strong encryption technology to our customers, mul- 
tinational customers or customers outside the United States, as ap- 
proximately 10 percent of our revenue. I expect that to grow as a 
percentage substantially as we begin to build the infrastructure 
surrounding the digital age of which my company hopes to partici- 



53 


pate. So that number will only increase as a percent and really put 
a cap on the markets that we can play in. 

Mr. Menendez. Is there any other industry sense of 

Mr. Rubinstein. It is hard for me to quantify, but I would make 
two observations. One is that a pronounced trend in the last few 
years is the use of PC’s for ever more complex and demanding com- 
puter applications so PC’s networked together have begun to re- 
place minicomputers and mainframe computers and really run the 
infrastructure of many large organizations and I think that has 
made encryption and security a much more important aspect of 
software sales even for mass-market vendors like Microsoft and 
other members of the BSA. 

Mr. Menendez. Let me ask another question. This is hypo- 
thetical, but I would like to get a sense of what the industry might 
say. If we were to, the U.S. Government, were to fund the appro- 
priate United States agency to work with the private sector to do 
decryption technology, what would the industry’s response to that 
be? 

Mr. Jeffrey Smith. If I might address that. Industry has ac- 
knowledged that the law enforcement and National Security Agen- 
cies face a real challenge in the future and recognize that they may 
not have the technological skills possessed by industry. So as the 
Administration panel said and as we have said in several of our 
statements, industry is working with government to help them 
reach that understanding. I can’t comment for how industry would 
react to a specific proposal to provide specific funding to that, but 
there are some suggestions like that, including one from Senator 
Bob Kerry in the Senate that I, as a personal matter, find intrigu- 
ing. But whether industry as a whole would be prepared to support 
that, I certainly can’t speculate. 

Mr. Black. If I could, I think we would all like to think that 
there would be a solution like that. In all honesty, I think the re- 
ality that it is sand going through the fingers and I don’t think you 
pick it back up again with open hands. The idea of brute force, at- 
tack, is there. It is possible at the edges, but most of the folks we 
talk to it really is probably not a viable result. Key recovery is 
not — we have all looked for years for some magic bullet that goes 
down the middle and takes care of everybody’s concern. We just 
don’t find it. 

Mr. Davidson. I would just like to echo and say that I think, 
first of all, most people in the technical community don’t think that 
brute force attacks are going to work at these high-strength 
encryption products. I wanted to address a comment that was 
made by the Justice Department representative earlier about the 
fact that they were still searching for new — that we are not talking 
about key recovery anymore. That it is really about new kinds of 
access technologies and I would just like to say that, we have been 
playing the name game on this from key escrow to commercial key 
escrow to key recovery and now it is plain text access. 

All of those systems have the same problem which is that the 
same system that allows surreptitious access by government also 
creates a huge vulnerability that allows surreptitious access by the 
people that you are trying to protect yourself from by encrypting 
to begin with. There are a series of real security and economic con- 



54 


cerns that have been raised about the viability of these systems 
that have gone — are being completely unaddressed. 

There is a report that we submitted to the Committee — and 
hopefully you folks have seen this — on the risks of key recovery. I 
would encourage people who are concerned about the national secu- 
rity and law enforcement aspects of all of this to ask particularly 
in those classified briefings, perhaps, ask to have the questions 
raised in this report answered because I think the problem has 
been that they can’t be answered and that we don’t have a viable 
system that provides access and protects security and that is why 
these systems haven’t caught on. 

Mr. Menendez. I thank you all for your patience and your — ^yes. 

Mr. Rubinstein. If I could add just one point there, there was 
some discussion in the earlier panel of whether the dialogue be- 
tween industry and law enforcement had withered away over the 
last year and I would agree with Mr. Reinsch that it has not and, 
in fact, there has been some very productive dialogue going on and 
going on, quietly, but taking place. At the heart of that dialogue, 
I think, is the recognition by law enforcement that there is no 
magic bullet. 

The precondition for a constructive dialogue is the recognition 
that there is no single solution that industry can offer but, instead, 
what is most important is that law enforcement devote more re- 
sources to learning about the new technology to understanding how 
it is used and, of course, in order to effectively use that, that tech- 
nology has to be developed and produced in the United States. 

Mr. Menendez. Thank you for your testimony. Thank you, Mr. 
Chairman. 

Mr. Campbell. Thank you, Mr. Menendez. It is my turn. I have 
three specific questions and they are first directed to Mr. Rubin- 
stein. This example you gave us of Zergo. 

Mr. Rubinstein. Yes. 

Mr. Campbell. Did they cooperate with Microsoft or with 
Netscape in developing their solution? 

Mr. Rubinstein. No. Let me also apologize. When I was showing 
those slides, I failed to show the last slide which was the download 
page and which listed a number of tool kits and add-on products 
that were available from Zergo. In no case did Microsoft supply 
technical assistance nor was it even asked to do so because — if I 
can try to explain this simply as possible — if you have a browser 
that is signing onto a web server, what you do is you insert two 
pieces of software between that communication so that the browser 
talks to this first piece, the first piece to a second piece, and then 
the second piece to the existing server. It is those two intermediate 
pieces that secure the communications at 128 bits. It just takes 
that flow and inserts this new connection and it decrypts it again. 

Mr. Campbell. I follow. 

Mr. Rubinstein. So there is no need for U.S. cooperation to ac- 
complish that. 

Mr. Campbell. Although, at some point, the company, Zergo, 
must have access to Microsoft’s code in order to — they just have to 
decompile what Microsoft is using in that first of the four steps in 
order to make a good interface, I assume. 



55 


Mr. Rubinstein. Right, although one of the very significant 
changes in this whole debate that has occurred results from the 
fact that Internet products are built according to international 
standards so, regardless of the specific company implementation, as 
long as those standards are met, the standards are readily avail- 
able. Even reference code is available on a worldwide basis. 

Mr. Campbell. Thanks. Let me ask a hypothetical question then 
of any of the panel, but particularly of the attorneys. Would it be 
a violation of the Export Control Act in this situation for Netscape 
or Microsoft to have assisted Zergo in that it — you see my question. 
I am not sure of the answer. You tell me you didn’t. That is fine. 
I am pleased. 

Mr. Rubinstein. The answer would be yes. There is a specific 
provision that deals with providing technical assistance to a foreign 
person in the manufacture of encryption 

Mr. Campbell. Thanks for answering. It was the answer I was 
afraid I might get. A question to Mr. Black and Mr. Smith. This 
is a technological question of which I am ignorant. Does the ability 
to deencrypt develop as the ability to encrypt or are they different 
disciplines? 

Mr. Black. They are really the same coin. The skills are, there 
are differences but it really is the ability to do one is the same set 
of skills and you will find the same people able to do the other. 

Mr. Campbell. Would you agree, Mr. Smith? 

Mr. Jeefrey Smith. Yes. 

Mr. Campbell. I hit a wall in mathematics at differential equa- 
tions. They didn’t make any intuitive sense to me. That is when I 
stopped. I have a sense there is a point of complexity at which 
encryption can become like those differential equations so that 
when it goes to a certain level, the ability to deencrypt is just lost. 
Am I wrong or does deencryption actually follow right along with 
the ability to encrypt so that if we go to longer and longer bit 
length, we will have industry capable of eventually breaking that? 

Mr. Black. In the real world, we have seen the development of 
technology that is more and more powerful and, whatever NSA 
says, I think many of us think they have a lot more capability than 
is there. But it still lags behind and lags behind substantially and 
I think we are — most of us think we are at point where, for all 
practical purposes, the ability to use brute force deencryption is 
just not going to be available in the future. 

Mr. Davidson. If you will forgive the mathematical terminology, 
the difficulty in decrypting increases exponentially with the in- 
crease of the bit length. So, for example, the difference between a 
56-bit key and a 64-bit key, it is only 8 bits longer. But it is 256 
times more difficult to decrypt in terms of the time it takes to do 
a brute force attack. So when you move to something like 128-bit 
keys, which are widely available outside of the United States, you 
reach a point where people start to measure the amount of time it 
would take to decrypt this using, technology that we 

Mr. Campbell. Thanks. 

Mr. Black. We have a number which is 256, the number of pos- 
sibilities at that level equal the number of particles in the universe. 

Mr. Campbell. Subatomic? And 256 is 2 to the 8th power? Is 
that where that came from? I was wondering 



56 


Mr. Davidson. 256-bit length. I think you are talking about keys 
that are 256-bits long. 

Mr. Campbell. Let me just understand the algorithm. So if you 
increase bit length by X bits, what is the effect on the 

Mr. Davidson. Two to the X. So, for example, each bit doubles 
the amount of times. 

Mr. Campbell. That is what I thought. Two to the eighth. That 
is what I was asking. 256 is 2 to the 8th. You are measuring that 
in terms of time difficulty of deencryption. 

Mr. Davidson. Right. The number of steps; the number of things 
you have to check. 

Mr. Campbell. The number of steps. 

Mr. Davidson. It is really like doing a combination lock and try- 
ing all of the combinations. 

Mr. Campbell. OK. 

Mr. Black. There is always a chance you will stumble on it right 
at the beginning, but you have to assume you don’t. 

Mr. Campbell. Thanks. My last question is to Ms. PoKempner. 
Understand, I am entirely on your side of this. Nevertheless, it 
seems to me the logic of your position would oppose a universally 
accepted agreement, a Wassenaar that really worked, whereas 
every other member of the panel might be able to live with that 
because it would not put an American firm at a competitive dis- 
advantage, the burden of your testimony is the value of encryption 
so strong that no government can break into it. Am I reading you 
correctly? 

Ms. PoKempner. I am reluctant to sound like an absolutist be- 
cause I do believe that there are genuine national security and law 
enforcement issues here, but the problem is that virtually unbreak- 
able encryption exists. We use it. We use 128-bit encryption. For 
practical purposes, no one is going to break that very fast. So we 
live in a universe where that is already out there and my concern 
is that U.S. attempts to either influence the Wassanaar arrange- 
ment countries policies or its own domestic export controls ulti- 
mately have the effect of taking strong encryption out of the hands 
of the law-abiding people like ourselves who need to use it but 
don’t have any deterrent effect on all of the bad guys that are con- 
stantly paraded before us as the reason for these controls. 

It is a difficult equation. I think that there is a balance and a 
difficult judgment call that has to be made at the point where 
enciyption becomes ubiquitous, which I do believe is an inevi- 
tability. It is just a question of whether the U.S. is going to be part 
of that. 

At that point, obviously, computer-challenged people like myself 
can use it easily and so can the stupid criminals that were referred 
to earlier. So everyone can use it. Then you have a question of, in 
terms of deterring street crime versus protecting human rights ac- 
tivists, people who want to communicate from totally repressive sit- 
uations. People who want to, preserve their privacy, their medical 
records, their commerce, then you have a very complicated bal- 
ancing task. 

But I think that is really where the level of debate should be. We 
are not talking about international terrorists versus, all the other 
interests because the international terrorists already have access. 



57 


Believe me, if my colleagues can use it, the international terrorists 
are much more capable. 

Mr. Campbell. I would like you to come back in another occasion 
and tell us what you and Human Rights Watch found in the Demo- 
cratic Republic of Congo. I’m going to be polite to my collea^e and 
yield to him in just 1 second. Though if you would be — and indulge 
me. Brad, I didn’t speak before and I just wanted to kind of put 
on record my own thought. I will take about 30 seconds. 

It would amaze me if the founders who wrote the Fourth Amend- 
ment were presented with Congress passing a law compelling 
Americans to make their communication more easily intercepted by 
the government. Would it not? That is, it seems to me, what we 
are asking. As to those who say national security and crime, I 
would say — and this is my one polemic, forgive me. Then I yield to 
my friend. My one polemic for today — I can give you safe streets, 
just get rid of that pesky Fifth Amendment and I will beat some 
confessions out of people and I will give you a safe a major city in 
America, every major city safe from street crime. But get rid of this 
warrant requirement because it is too tedious; probable cause is a 
heck of thing 

So it isn’t that we who believe in freedom ignore the other side. 
We believe that our country made that compromise 200-plus years 
ago. I yield to my colleague from California. 

Mr. Sherman. Mr. Chairman, thank you. Thanks especially for 
your technical questions. Like you, I hit a wall in mathematics. In 
my case, I hit it at long division. 

It seems like we are confronted with three levels of criminals. 
There are the street criminals who aren’t going to use lap tops, let 
alone encryption. There are the semi-sophisticated criminals who 
pretty much transact domestic crime — and I would like anybody on 
the panel to correct me if I am wrong — these folks can get all the 
encryption they want at the local software store today and, if they 
can’t, it is just because you folks haven’t made it yet and you will 
and you don’t need to change the law to put really great encryption 
in every Egghead store in America. I see a lot of heads nodding. 
Then you get up to the international criminals who you would 
think would be sophisticated enough to send the encryption that 
they need over the line, buy it from a foreign source. 

I am at a loss to try to figure out who we are trying to protect 
ourselves from. Now, as I understand it, if they get a warrant, they 
can look at your bank records and if you sent a message to your 
bank by encryption, the bank knows how to unencrypt it. I see 
some heads nodding. So this whole — the Administration effort is, I 
think, as the Chairman pointed out, an effort to make sure that 
when we send messages to each other we do it in a form that is 
most easily wiretappable and then understandable. Which is — now 
one could imagine that that would be argument. That we would 
really say we want everything that goes over the wire to be 
interceptable and decipherable. But that is not what we are doing. 
We are saying, well you can encrypt, you just can’t do it inter- 
nationally. 

Which seems to — and I will go back to what I said before because 
I thought it needed a little explanation when I thought that the 
Administration was just trying to punish the software industry, but 



58 


it seems like they are just angry that domestic messages will he 
encrypted in ways that they cannot decipher and the only handle 
they have under our legal system is to try to punish that industry 
or throw a temper tantrum by saying, we have got this law where 
we won’t let you export it. I don’t think there is a question in there 
anywhere. 

Yes, my more senior colleague from California illustrated and ex- 
plained to me just earlier today how I should deal with this and 
that is, I say, don’t you agree? 

Mr. Black. Your questioning actually earlier was, I thought very 
much on point where you were trying to get some people in the Ad- 
ministration to acknowledge that the concept of mandatory and vol- 
untary that there is something in between which is called coercion, 
extortion, and that is really what we see going on. They are using 
the export control rules to try to force, coerce people into adopting 
practices because they don’t want to say domestically that some 
people in the Administration really want to have the controls. It is 
really disingenuous, in our view, for them to be saying that this 
kind of heavy leverage, put a gun to your head, let us make a deal 
is not really pushing and forcing and mandating it. It is not any 
semblance of voluntary. 

Mr. Sherman. Let me sneak in one more question here and then 
this is really the question: What would it take for a foreign com- 
pany to produce encryption that works well with Microsoft and 
other U.S. -created products and to sell that encryption product 
around the world? Is there any prohibition on us importing 
encryption? Everybody’s saying no. I do that so the record will ac- 
tually reflect your head shakes. Mr. Davidson, you were about to 
say something? 

Mr. Davidson. I was going to agree with your earlier comment 
and say I think you are right and your second question gets to that 
also, which is that really what this is about seems to be an attempt 
to slow-down the spread of encryption. That is the best that we 
hope for in this policy and, to some extent, it has worked so far. 
I think what you are hearing from us is that now the costs of that 
policy far outweigh any incremental benefits of continuing it, that 
the costs not only to business, but to privacy interests of individ- 
uals, to the human rights workers around the world and others, 
you know are too high for continuing to pursue this. 

But I will say one other thing which is that I think we remain 
concerned domestically about the ultimate goals of the Administra- 
tion in this area and what I mean by that is that it was only IV2 
years ago that the Administration was testifying on Capitol Hill 
and the FBI director was testifying that he would like domestic 
controls on encryption, mandatory, key recoverable, and the House 
Intelligence Committee, in fact, passed a version of the SAFE Act 
that would have imposed that. 

Although it is somewhat reassuring, I guess, to hear the Admin- 
istration officials say that is not current policy, we don’t feel that 
this is far off the table. That remains our concern and I think the 
interchange between Chairman Gilman and the Justice Depart- 
ment witnesses was about domestic criminals using encryption and 
the only way that they are ever going to stop that is by some kind 
of domestic control. I think that is what we remain very fearful of. 



59 


Mr. Sherman. I would like to comment that domestic control at 
least has the advantage of being a logical action — I think incon- 
sistent with the Fourth Amendment — ^but a logical action where 
you are actually achieving a law enforcement purpose other than 
punishing an industry for coming up with technology. I yield back. 

Mr. Campbell. I thank the gentleman. We are at the end of our 
hearing, but I would like to offer each of the panelists 1 minute, 
if each wishes, to add anything that he or she did not have the op- 
portunity to add heretofore. Is there anyone who wishes to avail 
himself or herself of this opportunity? Mr. Rubinstein. 

Mr. Rubinstein. Yes. I would like to add one point which is that 
I think the hope of the Administration policy was that key escrow 
or some form of it would become so ubiquitous that everybody 
would use it and only the very small substratum of very sophisti- 
cated criminals would escape from that and, as the Administration 
readily admits, they can never really do anything about that. 

But as the market has rejected that type of key escrow for rea- 
sons that Congressman Goodlatte alluded to earlier — its cost, its 
complexity, its vulnerability — as the market has rejected that and 
as the Administration has begun to soften its message on key re- 
covery and say we are not insisting on any one technology; there 
are many different approaches; et cetera, the very logic of their po- 
sition begins to erode because if there are no mandatory controls 
and if nonrecovery encryption is available overseas, then it is no 
longer apparent what the ongoing controls would achieve. 

Mr. Campbell. Read you loud and clear. Anyone else wish to 
speak? Mr. Davidson. 

Mr. Davidson. First of all I would like to say to the Chair, I 
think that the Chair is right about the Bill of Rights and the 
Fourth Amendment as it applies to this area. You are very much 
on point. While we will see and are hopeful about how it moves in 
the courts, I think that that should inform Congresses decisions in 
terms of thinking about encryption. I would also commend this 
Bernstein decision to you from the Ninth Circuit. It is quite inter- 
esting. The last thing I would just say very briefly is I am noticing 
that Mr. Goodlatte’s attendance here at the bitter end of this hear- 
ing, and his commitment to this issue for the last several years and 
I would like to thank him for that because this has been very im- 
portant for individual privacy. 

Mr. Campbell. Appropriate and so noted. Mr. Smith. 

Mr. Jeffrey Smith. One more minute to go back to a point Mr. 
Bereuter made about the conversations between industry and the 
Administration, initially done by John Deutsch when he was the 
Director of Central Intelligence. That dialogue has continued. I 
think my colleague Mr. Rubinstein made the point but I think it 
is important for this Committee to understand that there is a con- 
tinuing dialogue, but it is a very difficult one to maintain because 
one is reluctant to discuss it too much in these public sessions. So 
I think it is something to be explored offline. 

Second, to urge this Committee to take the long-run view of this 
policy. Our concern is that the Administration’s policy is a short- 
term policy and our strong view is that both the law enforcement 
and national security interests need to be seen by Congress in the 
long-run and that only the kind of solution that is proposed by this 



60 


bill, in our judgment, strikes the balance, gives the government 
what it needs, gives industry and citizens what they need. 

Mr. Campbell. Thank you. With that, the meeting of the Sub- 
committee on International Economic Policy and Trade stands ad- 
journed. 

[Whereupon, at 5:35, the Subcommittee was adjourned.] 



